3849 lines
149 KiB
YAML
3849 lines
149 KiB
YAML
---
|
|
openapi: 3.0.3
|
|
info:
|
|
title: Authelia API
|
|
description: >
|
|
Authelia is an open-source authentication and authorization server providing 2-factor authentication and single
|
|
sign-on (SSO) for your applications via a web portal.
|
|
contact:
|
|
name: Support
|
|
url: https://www.authelia.com/contact/
|
|
email: team@authelia.com
|
|
license:
|
|
name: Apache 2.0
|
|
url: https://www.apache.org/licenses/LICENSE-2.0
|
|
version: 1.0.0
|
|
servers:
|
|
- url: "{{ .BaseURL }}"
|
|
description: Authelia API
|
|
tags:
|
|
- name: State
|
|
description: Configuration, health and state endpoints
|
|
- name: Authentication
|
|
description: Authentication endpoints
|
|
- name: Authorization
|
|
description: Authorization endpoints
|
|
{{- if .PasswordReset }}
|
|
- name: Password Reset
|
|
description: Password reset endpoints
|
|
- name: User Information
|
|
description: User configuration endpoints
|
|
{{- end }}
|
|
{{- if (or .TOTP .WebAuthn .Duo) }}
|
|
- name: Second Factor
|
|
description: TOTP, WebAuthn and Duo endpoints
|
|
externalDocs:
|
|
url: https://www.authelia.com/configuration/second-factor/introduction/
|
|
{{- end }}
|
|
{{- if .OpenIDConnect }}
|
|
- name: OpenID Connect 1.0
|
|
description: OpenID Connect 1.0 and OAuth 2.0 Endpoints
|
|
externalDocs:
|
|
url: https://www.authelia.com/integration/openid-connect/introduction/
|
|
{{- end }}
|
|
paths:
|
|
/api/configuration:
|
|
get:
|
|
tags:
|
|
- State
|
|
summary: Application Configuration
|
|
description: >
|
|
The configuration endpoint provides detailed information including available second factor methods, if any
|
|
second factor policies exist and the TOTP period configuration.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.configuration.ConfigurationBody'
|
|
"403":
|
|
description: Forbidden
|
|
security:
|
|
- authelia_auth: []
|
|
/api/configuration/password-policy:
|
|
get:
|
|
tags:
|
|
- State
|
|
summary: Password Policy Configuration
|
|
description: >
|
|
The password policy configuration endpoint provides a password policy for resetting passwords.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.configuration.PasswordPolicyConfigurationBody'
|
|
/api/health:
|
|
head:
|
|
tags:
|
|
- State
|
|
summary: Application Health
|
|
description: The health check endpoint provides information about the health of Authelia.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
get:
|
|
tags:
|
|
- State
|
|
summary: Application Health
|
|
description: The health check endpoint provides information about the health of Authelia.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.OkResponse'
|
|
/api/state:
|
|
get:
|
|
tags:
|
|
- State
|
|
summary: User Application State
|
|
description: >
|
|
The state endpoint provides detailed information including the user, current authenticate level and Authelia's
|
|
configured default redirection URL.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.StateResponse'
|
|
{{- $app := "" }}{{ if .Domain }}{{ $app = printf "https://%s/" .Domain }}{{ else if .BaseURL }}{{ $app = .BaseURL }}{{ else }}{{ $app = "https://app.example.com" }}{{ end }}
|
|
{{- $redir := printf "%s?rd=%s&rm=GET" (.BaseURL | default "https://auth.example.com/") (urlquery $app) }}
|
|
{{- range $name, $config := .EndpointsAuthz }}
|
|
{{- $uri := printf "/api/authz/%s" $name }}
|
|
{{- if (eq $name "legacy") }}{{ $uri = "/api/verify" }}{{ end }}
|
|
{{ $uri }}:
|
|
{{- if (eq $config.Implementation "Legacy") }}
|
|
{{- range $method := list "get" "head" "options" "post" "put" "patch" "delete" "trace" }}
|
|
{{ $method }}:
|
|
tags:
|
|
- Authorization
|
|
summary: Authorization Verification (Legacy)
|
|
description: >
|
|
The legacy authorization verification endpoint provides the ability to verify if a user has the necessary
|
|
permissions to access a specified domain with several proxies. It's generally recommended users use a proxy
|
|
specific endpoint instead.
|
|
parameters:
|
|
- name: X-Original-URL
|
|
in: header
|
|
description: Redirection URL
|
|
required: false
|
|
style: simple
|
|
explode: true
|
|
schema:
|
|
type: string
|
|
- $ref: '#/components/parameters/forwardedMethodParam'
|
|
- name: X-Forwarded-Proto
|
|
in: header
|
|
description: Redirection URL (Scheme / Protocol)
|
|
required: false
|
|
style: simple
|
|
explode: true
|
|
example: 'https'
|
|
schema:
|
|
type: string
|
|
- name: X-Forwarded-Host
|
|
in: header
|
|
description: Redirection URL (Host)
|
|
required: false
|
|
style: simple
|
|
explode: true
|
|
example: '{{ $.Domain | default "example.com" }}'
|
|
schema:
|
|
type: string
|
|
- name: X-Forwarded-URI
|
|
in: header
|
|
description: Redirection URL (URI)
|
|
required: false
|
|
style: simple
|
|
explode: true
|
|
example: '/path/example'
|
|
schema:
|
|
type: string
|
|
- $ref: '#/components/parameters/forwardedForParam'
|
|
- $ref: '#/components/parameters/authParam'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
headers:
|
|
remote-user:
|
|
description: Username
|
|
schema:
|
|
type: string
|
|
example: john
|
|
remote-name:
|
|
description: Name
|
|
schema:
|
|
type: string
|
|
example: John Doe
|
|
remote-email:
|
|
description: Email
|
|
schema:
|
|
type: string
|
|
example: john.doe@authelia.com
|
|
remote-groups:
|
|
description: Comma separated list of Groups
|
|
schema:
|
|
type: string
|
|
example: admin,devs
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
"302":
|
|
description: Found
|
|
headers:
|
|
location:
|
|
description: Redirect Location for user authorization
|
|
example: '{{ $redir }}'
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
"303":
|
|
description: See Other
|
|
headers:
|
|
location:
|
|
description: Redirect Location for user authorization
|
|
example: '{{ $redir }}'
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
"401":
|
|
description: Unauthorized
|
|
headers:
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
security:
|
|
- authelia_auth: []
|
|
{{- end }}
|
|
{{- else if (eq $config.Implementation "ExtAuthz") }}
|
|
{{- range $method := list "get" "head" "options" "post" "put" "patch" "delete" "trace" }}
|
|
{{ $method }}:
|
|
tags:
|
|
- Authorization
|
|
summary: Authorization Verification (ExtAuthz)
|
|
description: >
|
|
The ExtAuthz authorization verification endpoint provides the ability to verify if a user has the necessary
|
|
permissions to access a specified resource with the Envoy proxy.
|
|
parameters:
|
|
- $ref: '#/components/parameters/forwardedMethodParam'
|
|
- $ref: '#/components/parameters/forwardedHostParam'
|
|
- $ref: '#/components/parameters/forwardedURIParam'
|
|
- $ref: '#/components/parameters/forwardedForParam'
|
|
- $ref: '#/components/parameters/autheliaURLParam'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
headers:
|
|
remote-user:
|
|
description: Username
|
|
schema:
|
|
type: string
|
|
example: john
|
|
remote-name:
|
|
description: Name
|
|
schema:
|
|
type: string
|
|
example: John Doe
|
|
remote-email:
|
|
description: Email
|
|
schema:
|
|
type: string
|
|
example: john.doe@authelia.com
|
|
remote-groups:
|
|
description: Comma separated list of Groups
|
|
schema:
|
|
type: string
|
|
example: admin,devs
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
"302":
|
|
description: Found
|
|
headers:
|
|
location:
|
|
description: Redirect Location for user authorization
|
|
example: '{{ $redir }}'
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
"303":
|
|
description: See Other
|
|
headers:
|
|
location:
|
|
description: Redirect Location for user authorization
|
|
example: '{{ $redir }}'
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
"400":
|
|
description: Bad Request
|
|
"401":
|
|
description: Unauthorized
|
|
security:
|
|
- authelia_auth: []
|
|
{{- end }}
|
|
{{- else if (eq $config.Implementation "ForwardAuth") }}
|
|
{{- range $method := list "get" "head" }}
|
|
{{ $method }}:
|
|
tags:
|
|
- Authorization
|
|
summary: Authorization Verification (ForwardAuth)
|
|
description: >
|
|
The ForwardAuth authorization verification endpoint provides the ability to verify if a user has the necessary
|
|
permissions to access a specified resource with the Traefik, Caddy, or Skipper proxies.
|
|
parameters:
|
|
- $ref: '#/components/parameters/forwardedMethodParam'
|
|
- $ref: '#/components/parameters/forwardedHostParam'
|
|
- $ref: '#/components/parameters/forwardedURIParam'
|
|
- $ref: '#/components/parameters/forwardedForParam'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
headers:
|
|
remote-user:
|
|
description: Username
|
|
schema:
|
|
type: string
|
|
example: john
|
|
remote-name:
|
|
description: Name
|
|
schema:
|
|
type: string
|
|
example: John Doe
|
|
remote-email:
|
|
description: Email
|
|
schema:
|
|
type: string
|
|
example: john.doe@authelia.com
|
|
remote-groups:
|
|
description: Comma separated list of Groups
|
|
schema:
|
|
type: string
|
|
example: admin,devs
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
"302":
|
|
description: Found
|
|
headers:
|
|
location:
|
|
description: Redirect Location for user authorization
|
|
example: '{{ $redir }}'
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
"303":
|
|
description: See Other
|
|
headers:
|
|
location:
|
|
description: Redirect Location for user authorization
|
|
example: '{{ $redir }}'
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
"400":
|
|
description: Bad Request
|
|
"401":
|
|
description: Unauthorized
|
|
security:
|
|
- authelia_auth: []
|
|
{{- end }}
|
|
{{- else if (eq $config.Implementation "AuthRequest") }}
|
|
{{- range $method := list "get" "head" }}
|
|
{{ $method }}:
|
|
tags:
|
|
- Authorization
|
|
summary: Authorization Verification (AuthRequest)
|
|
description: >
|
|
The AuthRequest authorization verification endpoint provides the ability to verify if a user has the necessary
|
|
permissions to access a specified resource with the HAPROXY, NGINX, or NGINX-based proxies.
|
|
parameters:
|
|
- $ref: '#/components/parameters/originalMethodParam'
|
|
- $ref: '#/components/parameters/originalURLParam'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
headers:
|
|
remote-user:
|
|
description: Username
|
|
schema:
|
|
type: string
|
|
example: john
|
|
remote-name:
|
|
description: Name
|
|
schema:
|
|
type: string
|
|
example: John Doe
|
|
remote-email:
|
|
description: Email
|
|
schema:
|
|
type: string
|
|
example: john.doe@authelia.com
|
|
remote-groups:
|
|
description: Comma separated list of Groups
|
|
schema:
|
|
type: string
|
|
example: admin,devs
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
"400":
|
|
description: Bad Request
|
|
"401":
|
|
description: Unauthorized
|
|
headers:
|
|
location:
|
|
description: Redirect Location for user authorization
|
|
example: '{{ $redir }}'
|
|
set-cookie:
|
|
description: Sets a new cookie value
|
|
schema:
|
|
type: string
|
|
security:
|
|
- authelia_auth: []
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
/api/firstfactor:
|
|
post:
|
|
tags:
|
|
- Authentication
|
|
summary: Login
|
|
description: >
|
|
The firstfactor endpoint allows a user to login and generates an authentication cookie for authorization.
|
|
requestBody:
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.bodyFirstFactorRequest'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.redirectResponse'
|
|
"401":
|
|
description: Unauthorized
|
|
security:
|
|
- authelia_auth: []
|
|
/api/checks/safe-redirection:
|
|
post:
|
|
tags:
|
|
- Authentication
|
|
summary: Check whether URI is safe to redirect to.
|
|
description: >
|
|
End users usually needs to be redirected to a target website after authentication. This endpoint aims to check
|
|
if target URL is safe to redirect to. This prevents open redirect attacks.
|
|
requestBody:
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.checkURIWithinDomainRequestBody'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.checkURIWithinDomainResponseBody'
|
|
"401":
|
|
description: Unauthorized
|
|
security:
|
|
- authelia_auth: []
|
|
/api/logout:
|
|
post:
|
|
tags:
|
|
- Authentication
|
|
summary: Logout
|
|
description: The logout endpoint allows a user to logout and destroy a sesssion.
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.logoutRequestBody'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.logoutResponseBody'
|
|
security:
|
|
- authelia_auth: []
|
|
{{- if .PasswordReset }}
|
|
/api/reset-password/identity/start:
|
|
post:
|
|
tags:
|
|
- Password Reset
|
|
summary: Identity Verification Token Creation
|
|
description: >
|
|
This endpoint is step 1 of 3 in the password reset process.
|
|
|
|
It validates the user session and sends the user an email with a token and a link to reset their password. This
|
|
step also generates a session cookie for the rest of the process.
|
|
|
|
The same session cookie must be used for all steps in this process.
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.PasswordResetStep1RequestBody'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.OkResponse'
|
|
security:
|
|
- authelia_auth: []
|
|
/api/reset-password/identity/finish:
|
|
post:
|
|
tags:
|
|
- Password Reset
|
|
summary: Identity Verification Token Validation
|
|
description: >
|
|
This endpoint is step 2 of 3 in the password reset process.
|
|
|
|
It validates the user session and reset token.
|
|
|
|
The same session cookie must be used for all steps in this process.
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.IdentityVerificationFinishBody'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.OkResponse'
|
|
security:
|
|
- authelia_auth: []
|
|
/api/reset-password:
|
|
post:
|
|
tags:
|
|
- Password Reset
|
|
summary: Password Reset
|
|
description: >
|
|
This endpoint is step 3 of 3 in the password reset process.
|
|
|
|
It validates the user session and changes the password.
|
|
|
|
The same session cookie must be used for all steps in this process.
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.PasswordResetStep2RequestBody'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.OkResponse'
|
|
security:
|
|
- authelia_auth: []
|
|
{{- end }}
|
|
/api/user/info:
|
|
get:
|
|
tags:
|
|
- User Information
|
|
summary: User Configuration
|
|
description: >
|
|
The user info endpoint provides detailed information including a users display name, preferred and registered
|
|
second factor method(s).
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.UserInfo'
|
|
"403":
|
|
description: Forbidden
|
|
security:
|
|
- authelia_auth: []
|
|
post:
|
|
tags:
|
|
- User Information
|
|
summary: User Configuration
|
|
description: >
|
|
The user info endpoint provides detailed information including a users display name, preferred and registered
|
|
second factor method(s). The POST method also ensures the preferred method is configured correctly.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.UserInfo'
|
|
"403":
|
|
description: Forbidden
|
|
security:
|
|
- authelia_auth: []
|
|
/api/user/info/2fa_method:
|
|
post:
|
|
tags:
|
|
- User Information
|
|
summary: User Configuration
|
|
description: The user info 2fa_method endpoint sets the users preferred second factor method.
|
|
requestBody:
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.UserInfo.MethodBody'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.OkResponse'
|
|
"403":
|
|
description: Forbidden
|
|
security:
|
|
- authelia_auth: []
|
|
{{- if .TOTP }}
|
|
/api/user/info/totp:
|
|
get:
|
|
tags:
|
|
- User Information
|
|
summary: User TOTP Configuration
|
|
description: >
|
|
The user TOTP info endpoint provides information necessary to display the TOTP component to validate their
|
|
TOTP input such as the period/frequency and number of digits.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.UserInfoTOTP'
|
|
"403":
|
|
description: Forbidden
|
|
security:
|
|
- authelia_auth: []
|
|
/api/secondfactor/totp/identity/start:
|
|
post:
|
|
tags:
|
|
- Second Factor
|
|
summary: Identity Verification TOTP Token Creation
|
|
description: >
|
|
This endpoint performs identity verification to begin the TOTP device registration process.
|
|
|
|
The session generated from this endpoint must be utilised for the subsequent step in the
|
|
`/api/secondfactor/totp/identity/finish` endpoint.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.OkResponse'
|
|
security:
|
|
- authelia_auth: []
|
|
/api/secondfactor/totp/identity/finish:
|
|
post:
|
|
tags:
|
|
- Second Factor
|
|
summary: Identity Verification TOTP Token Validation and Device Creation
|
|
description: >
|
|
This endpoint performs identity and token verification, upon success also generates TOTP device secret and
|
|
registers said device.
|
|
|
|
The session cookie generated from the `/api/secondfactor/totp/identity/start` endpoint must be utilised for the
|
|
step here.
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.IdentityVerificationFinishBody'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.TOTPKeyResponse'
|
|
security:
|
|
- authelia_auth: []
|
|
/api/secondfactor/totp:
|
|
post:
|
|
tags:
|
|
- Second Factor
|
|
summary: Second Factor Authentication - TOTP
|
|
description: This endpoint performs second factor authentication with a TOTP key.
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.bodySignTOTPRequest'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.redirectResponse'
|
|
"401":
|
|
description: Unauthorized
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.ErrorResponse'
|
|
security:
|
|
- authelia_auth: []
|
|
{{- end }}
|
|
{{- if .WebAuthn }}
|
|
/api/secondfactor/webauthn/assertion:
|
|
get:
|
|
tags:
|
|
- Second Factor
|
|
summary: Second Factor Authentication - WebAuthn (Request)
|
|
description: This endpoint starts the second factor authentication process with the FIDO2 WebAuthn credential.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/webauthn.PublicKeyCredentialRequestOptions'
|
|
"401":
|
|
description: Unauthorized
|
|
security:
|
|
- authelia_auth: []
|
|
post:
|
|
tags:
|
|
- Second Factor
|
|
summary: Second Factor Authentication - WebAuthn
|
|
description: This endpoint completes the second factor authentication process with the FIDO2 WebAuthn credential.
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: "#/components/schemas/webauthn.CredentialAssertionResponse"
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.redirectResponse'
|
|
"401":
|
|
description: Unauthorized
|
|
security:
|
|
- authelia_auth: []
|
|
/api/secondfactor/webauthn/identity/start:
|
|
post:
|
|
tags:
|
|
- Second Factor
|
|
summary: Identity Verification WebAuthn Credential Creation
|
|
description: >
|
|
This endpoint performs identity verification to begin the FIDO2 WebAuthn credential attestation process
|
|
(registration).
|
|
|
|
The session generated from this endpoint must be utilised for the subsequent steps in the
|
|
`/api/secondfactor/webauthn/identity/finish` and `/api/secondfactor/webauthn/attestation` endpoints.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.OkResponse'
|
|
security:
|
|
- authelia_auth: []
|
|
/api/secondfactor/webauthn/identity/finish:
|
|
post:
|
|
tags:
|
|
- Second Factor
|
|
summary: Identity Verification FIDO2 WebAuthn Credential Validation
|
|
description: >
|
|
This endpoint performs identity and token verification, upon success generates a FIDO2 WebAuthn device
|
|
attestation challenge (registration).
|
|
|
|
The session cookie generated from the `/api/secondfactor/webauthn/identity/start` endpoint must be utilised
|
|
for the subsequent steps here and in the `/api/secondfactor/webauthn/attestation` endpoint.
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.IdentityVerificationFinishBody'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/webauthn.PublicKeyCredentialCreationOptions'
|
|
security:
|
|
- authelia_auth: []
|
|
/api/secondfactor/webauthn/attestation:
|
|
post:
|
|
tags:
|
|
- Second Factor
|
|
summary: WebAuthn Credential Attestation
|
|
description: This endpoint performs WebAuthn credential attestation (registration).
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/webauthn.CredentialAttestationResponse'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.OkResponse'
|
|
security:
|
|
- authelia_auth: []
|
|
{{- end }}
|
|
{{- if .Duo }}
|
|
/api/secondfactor/duo:
|
|
post:
|
|
tags:
|
|
- Second Factor
|
|
summary: Second Factor Authentication - Duo Mobile Push
|
|
description: This endpoint performs second factor authentication with a Duo Mobile Push.
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.bodySignDuoRequest'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.redirectResponse'
|
|
"401":
|
|
description: Unauthorized
|
|
security:
|
|
- authelia_auth: []
|
|
/api/secondfactor/duo_devices:
|
|
get:
|
|
tags:
|
|
- Second Factor
|
|
summary: Second Factor Authentication - Duo Mobile Push
|
|
description: This endpoint retrieves a users available devices and capabilities from Duo.
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.DuoDevicesResponse'
|
|
"401":
|
|
description: Unauthorized
|
|
security:
|
|
- authelia_auth: []
|
|
/api/secondfactor/duo_device:
|
|
post:
|
|
tags:
|
|
- Second Factor
|
|
summary: Second Factor Authentication - Duo Mobile Push
|
|
description: This endpoint updates the users preferred Duo device and method.
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/handlers.DuoDeviceBody'
|
|
responses:
|
|
"200":
|
|
description: Successful Operation
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/middlewares.OkResponse'
|
|
"401":
|
|
description: Unauthorized
|
|
security:
|
|
- authelia_auth: []
|
|
{{- end }}
|
|
{{- if .OpenIDConnect }}
|
|
/.well-known/openid-configuration:
|
|
get:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OpenID Connect Discovery 1.0 Document
|
|
description: >
|
|
This endpoint retrieves the OpenID Connect Discovery 1.0 document used by clients to perform discovery for
|
|
an OpenID Connect 1.0 Provider. See https://openid.net/specs/openid-connect-discovery-1_0.html.
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.Metadata.OpenIDConfiguration'
|
|
"400":
|
|
description: Bad Request
|
|
"500":
|
|
description: Internal Server Error
|
|
/.well-known/oauth-authorization-server:
|
|
get:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OAuth 2.0 Authorization Server Metadata
|
|
description: >
|
|
This endpoint retrieves the OAuth 2.0 Authorization Server Metadata document (RFC8414) used by clients to
|
|
perform discovery for an OAuth 2.0 Authorization Server. See https://datatracker.ietf.org/doc/html/rfc8414.
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.Metadata.OAuth2AuthorizationServer'
|
|
"400":
|
|
description: Bad Request
|
|
"500":
|
|
description: Internal Server Error
|
|
/jwks.json:
|
|
get:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OpenID Connect 1.0 JSON Web Key Set Document
|
|
description: >
|
|
This endpoint retrieves the OpenID Connect 1.0 JSON Web Key Set Document (JWKS) used by clients to validate
|
|
information from this OpenID Connect 1.0 Provider.
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/jose.spec.JWKs'
|
|
/api/oidc/authorization:
|
|
get:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OpenID Connect 1.0 Authorization Endpoint
|
|
description: >
|
|
This endpoint performs OpenID Connect 1.0 Authorization.
|
|
parameters:
|
|
- in: query
|
|
name: id
|
|
required: false
|
|
description: The OpenID Connect 1.0 consent workflow ID.
|
|
schema:
|
|
type: string
|
|
format: uuid
|
|
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
|
|
example: '713ef767-81bc-4a27-9b83-5fe2e101b2b4'
|
|
- in: query
|
|
name: scope
|
|
description: The requested scope.
|
|
required: true
|
|
schema:
|
|
type: string
|
|
example: 'openid profile groups'
|
|
- in: query
|
|
name: response_type
|
|
description: The OAuth 2.0 response type.
|
|
required: true
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.ResponseType'
|
|
- in: query
|
|
name: client_id
|
|
description: The OAuth 2.0 client identifier.
|
|
required: true
|
|
schema:
|
|
type: string
|
|
example: 'app'
|
|
- in: query
|
|
name: redirect_uri
|
|
description: >
|
|
Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI
|
|
values for the Client pre-registered at the OpenID Provider, with the matching performed as described in
|
|
Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this flow, the Redirection URI SHOULD use
|
|
the https scheme; however, it MAY use the http scheme, provided that the Client Type is confidential, as
|
|
defined in Section 2.1 of OAuth 2.0, and provided the OP allows the use of http Redirection URIs in this
|
|
case. The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback
|
|
into a native application.
|
|
required: true
|
|
schema:
|
|
type: string
|
|
example: 'https://app.{{ .Domain | default "example.com" }}'
|
|
- in: query
|
|
name: state
|
|
description: >
|
|
Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request
|
|
Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a
|
|
browser cookie.
|
|
required: false
|
|
schema:
|
|
type: string
|
|
example: 'oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f'
|
|
- in: query
|
|
name: response_mode
|
|
description: >
|
|
Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization
|
|
Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is
|
|
the default mode specified for the Response Type.
|
|
required: false
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.ResponseMode'
|
|
- in: query
|
|
name: nonce
|
|
description: >
|
|
String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value
|
|
is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be
|
|
present in the nonce values used to prevent attackers from guessing values. For implementation notes, see
|
|
Section 15.5.2.
|
|
required: false
|
|
schema:
|
|
type: string
|
|
example: 'TRMLqchoKGQNcooXvBvUy9PtmLdJGf'
|
|
- in: query
|
|
name: display
|
|
description: >
|
|
Not Supported: ASCII string value that specifies how the Authorization Server displays the authentication
|
|
and consent user interface pages to the End-User.
|
|
required: false
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.DisplayType'
|
|
- in: query
|
|
name: prompt
|
|
description: >
|
|
Not Supported: Space delimited, case sensitive list of ASCII string values that specifies whether the
|
|
Authorization Server prompts the End-User for reauthentication and consent.
|
|
required: false
|
|
schema:
|
|
type: string
|
|
- in: query
|
|
name: max_age
|
|
description: >
|
|
Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User
|
|
was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to
|
|
actively re-authenticate the End-User. (The max_age request parameter corresponds to the OpenID 2.0 PAPE
|
|
[OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID Token returned MUST include an
|
|
auth_time Claim Value.
|
|
required: false
|
|
schema:
|
|
type: integer
|
|
example: 3600
|
|
- in: query
|
|
name: ui_locales
|
|
description: >
|
|
Not Supported: End-User's preferred languages and scripts for the user interface, represented as a
|
|
space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value
|
|
"fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region
|
|
designation), followed by English (without a region designation). An error SHOULD NOT result if some or all
|
|
of the requested locales are not supported by the OpenID Provider.
|
|
required: false
|
|
schema:
|
|
type: string
|
|
example: 'en-US'
|
|
- in: query
|
|
name: claims_locales
|
|
description: >
|
|
Not Supported: End-User's preferred languages and scripts for Claims being returned, represented as a
|
|
space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error SHOULD NOT
|
|
result if some or all of the requested locales are not supported by the OpenID Provider.
|
|
required: false
|
|
schema:
|
|
type: string
|
|
example: 'en-US'
|
|
- in: query
|
|
name: id_token_hint
|
|
required: false
|
|
description: >
|
|
Not Supported: ID Token previously issued by the Authorization Server being passed as a hint about the
|
|
End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token
|
|
is logged in or is logged in by the request, then the Authorization Server returns a positive response;
|
|
otherwise, it SHOULD return an error, such as login_required. When possible, an id_token_hint SHOULD be
|
|
present when prompt=none is used and an invalid_request error MAY be returned if it is not; however, the
|
|
server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need
|
|
not be listed as an audience of the ID Token when it is used as an id_token_hint value. If the ID Token
|
|
received by the RP from the OP is encrypted, to use it as an id_token_hint, the Client MUST decrypt the
|
|
signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to
|
|
the Authentication Server using a key that enables the server to decrypt the ID Token, and use the
|
|
re-encrypted ID token as the id_token_hint value.
|
|
schema:
|
|
type: string
|
|
- in: query
|
|
name: login_hint
|
|
description: >
|
|
Not Supported: Hint to the Authorization Server about the login identifier the End-User might use to log in
|
|
(if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address
|
|
(or other identifier) and then wants to pass that value as a hint to the discovered authorization service.
|
|
It is RECOMMENDED that the hint value match the value used for discovery. This value MAY also be a phone
|
|
number in the format specified for the phone_number Claim. The use of this parameter is left to the OP's
|
|
discretion.
|
|
required: false
|
|
schema:
|
|
type: string
|
|
- in: query
|
|
name: acr_values
|
|
description: >
|
|
Not Supported: Requested Authentication Context Class Reference values. Space-separated string that
|
|
specifies the acr values that the Authorization Server is being requested to use for processing this
|
|
Authentication Request, with the values appearing in order of preference. The Authentication Context Class
|
|
satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2.
|
|
The acr Claim is requested as a Voluntary Claim by this parameter.
|
|
required: false
|
|
schema:
|
|
type: string
|
|
- in: query
|
|
name: claims
|
|
description: >
|
|
Not Supported: The claims parameter value, as specified in Section 5.5.
|
|
required: false
|
|
schema:
|
|
type: string
|
|
- in: query
|
|
name: registration
|
|
description: >
|
|
Not Supported: This parameter is used by the Client to provide information about itself to a Self-Issued OP
|
|
that would normally be provided to an OP during Dynamic Client Registration, as specified in Section 7.2.1.
|
|
required: false
|
|
schema:
|
|
type: string
|
|
- in: query
|
|
name: request
|
|
description: >
|
|
Not Supported: Request Object value, as specified in Section 6.1. The Request Object MAY be encrypted to
|
|
the Self-Issued OP by the Client. In this case, the sub (subject) of a previously issued ID Token for this
|
|
Client MUST be sent as the kid (Key ID) of the JWE. Encrypting content to Self-Issued OPs is currently only
|
|
supported when the OP's JWK key type is RSA and the encryption algorithm used is RSA1_5.
|
|
required: false
|
|
schema:
|
|
type: string
|
|
- in: query
|
|
name: code_challenge
|
|
description: >
|
|
RFC7636 Code Challenge.
|
|
required: false
|
|
schema:
|
|
type: string
|
|
- in: query
|
|
name: code_challenge_method
|
|
required: false
|
|
description: >
|
|
RFC7636 Code Challenge Method. defaults to "plain" if not present in the request.
|
|
Code verifier transformation method is "S256" or "plain".
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.CodeChallengeMethod'
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
text/html:
|
|
schema:
|
|
type: string
|
|
description: The Form Post Response Mode content.
|
|
"303":
|
|
description: See Other
|
|
headers:
|
|
Location:
|
|
schema:
|
|
type: string
|
|
description: >
|
|
Redirection location for the consent flow, or the authorization response callback location when using
|
|
the Query or Fragment Response Modes.
|
|
"400":
|
|
description: Bad Request
|
|
"500":
|
|
description: Internal Server Error
|
|
post:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OpenID Connect 1.0 Authorization Endpoint
|
|
description: >
|
|
This endpoint performs OpenID Connect 1.0 Authorization.
|
|
requestBody:
|
|
description: Authorize Request Parameters.
|
|
required: true
|
|
content:
|
|
application/x-www-form-urlencoded:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.AuthorizeRequest'
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
text/html:
|
|
schema:
|
|
type: string
|
|
description: The Form Post Response Mode content.
|
|
"303":
|
|
description: See Other
|
|
headers:
|
|
Location:
|
|
schema:
|
|
type: string
|
|
description: >
|
|
Redirection location for the consent flow, or the authorization response callback location when using
|
|
the Query or Fragment Response Modes.
|
|
"400":
|
|
description: Bad Request
|
|
"500":
|
|
description: Internal Server Error
|
|
security:
|
|
- authelia_auth: []
|
|
/api/oidc/token:
|
|
post:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OpenID Connect 1.0 Token Endpoint
|
|
description: >
|
|
This endpoint performs OpenID Connect 1.0 Token Access Requests.
|
|
requestBody:
|
|
description: Access Request Parameters.
|
|
required: true
|
|
content:
|
|
application/x-www-form-urlencoded:
|
|
schema:
|
|
oneOf:
|
|
- $ref: '#/components/schemas/openid.spec.AccessRequest.AuthorizationCodeFlow'
|
|
- $ref: '#/components/schemas/openid.spec.AccessRequest.RefreshTokenFlow'
|
|
- $ref: '#/components/schemas/openid.spec.AccessRequest.DeviceCodeFlow'
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
application/json:
|
|
schema:
|
|
oneOf:
|
|
- $ref: '#/components/schemas/openid.spec.AccessResponse'
|
|
"401":
|
|
description: Forbidden
|
|
"403":
|
|
description: Unauthorized
|
|
"500":
|
|
description: Internal Server Error
|
|
security:
|
|
- openid: []
|
|
/api/oidc/revocation:
|
|
post:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OAuth 2.0 Token Revocation Endpoint
|
|
description: >
|
|
This endpoint performs OAuth 2.0 Token Revocation Requests.
|
|
requestBody:
|
|
description: Required OAuth 2.0 revocation parameters.
|
|
required: true
|
|
content:
|
|
application/x-www-form-urlencoded:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.IntrospectionRequest'
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
"401":
|
|
description: Forbidden
|
|
"403":
|
|
description: Unauthorized
|
|
"500":
|
|
description: Internal Server Error
|
|
security:
|
|
- openid: []
|
|
/api/oidc/introspection:
|
|
post:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OAuth 2.0 Token Introspection Endpoint
|
|
description: >
|
|
This endpoint performs OAuth 2.0 Token Introspection Requests.
|
|
requestBody:
|
|
description: Required OAuth 2.0 introspection parameters.
|
|
required: true
|
|
content:
|
|
application/x-www-form-urlencoded:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.spec.IntrospectionRequest'
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.implementation.Claims.Object'
|
|
"401":
|
|
description: Forbidden
|
|
"403":
|
|
description: Unauthorized
|
|
"500":
|
|
description: Internal Server Error
|
|
security:
|
|
- openid: []
|
|
/api/oidc/userinfo:
|
|
get:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OpenID Connect 1.0 UserInfo Endpoint
|
|
description: >
|
|
This endpoint performs OpenID Connect 1.0 UserInfo Access Requests.
|
|
parameters:
|
|
- in: query
|
|
name: access_token
|
|
description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider.
|
|
schema:
|
|
type: string
|
|
example: 'authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn'
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
application/jwt: {}
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.implementation.Claims.Object'
|
|
"401":
|
|
description: Forbidden
|
|
"403":
|
|
description: Unauthorized
|
|
"500":
|
|
description: Internal Server Error
|
|
security:
|
|
- openid: []
|
|
post:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OpenID Connect 1.0 UserInfo Endpoint
|
|
description: >
|
|
This endpoint performs OpenID Connect 1.0 UserInfo Access Requests.
|
|
parameters:
|
|
- in: query
|
|
name: access_token
|
|
description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider.
|
|
schema:
|
|
type: string
|
|
example: 'authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn'
|
|
requestBody:
|
|
content:
|
|
application/x-www-form-urlencoded:
|
|
schema:
|
|
type: object
|
|
properties:
|
|
access_token:
|
|
description: The OAuth 2.0 Access Token issued by this OpenID Connect 1.0 Provider.
|
|
type: string
|
|
example: 'authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn'
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
application/jwt: {}
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.implementation.Claims.Object'
|
|
"401":
|
|
description: Forbidden
|
|
"403":
|
|
description: Unauthorized
|
|
"500":
|
|
description: Internal Server Error
|
|
security:
|
|
- openid: []
|
|
/api/oidc/consent:
|
|
get:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OpenID Connect 1.0 Consent Information
|
|
description: >
|
|
This endpoint retrieves the consent information about a specific consent ID during the consent workflow.
|
|
parameters:
|
|
- $ref: '#/components/parameters/idRequiredParam'
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.request.consent'
|
|
"403":
|
|
description: Forbidden
|
|
security:
|
|
- authelia_auth: []
|
|
post:
|
|
tags:
|
|
- OpenID Connect 1.0
|
|
summary: OpenID Connect 1.0 Consent Response
|
|
description: >
|
|
This endpoint retrieves the consent response for a specific consent ID during the consent workflow.
|
|
responses:
|
|
"200":
|
|
description: OK
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/openid.response.consent'
|
|
"403":
|
|
description: Forbidden
|
|
security:
|
|
- authelia_auth: []
|
|
{{- end }}
|
|
components:
|
|
parameters:
|
|
originalMethodParam:
|
|
name: X-Original-Method
|
|
in: header
|
|
description: Request Method
|
|
required: true
|
|
style: simple
|
|
explode: true
|
|
schema:
|
|
type: string
|
|
enum:
|
|
- "GET"
|
|
- "HEAD"
|
|
- "POST"
|
|
- "PUT"
|
|
- "PATCH"
|
|
- "DELETE"
|
|
- "TRACE"
|
|
- "CONNECT"
|
|
- "OPTIONS"
|
|
- "COPY"
|
|
- "LOCK"
|
|
- "MKCOL"
|
|
- "MOVE"
|
|
- "PROPFIND"
|
|
- "PROPPATCH"
|
|
- "UNLOCK"
|
|
originalURLParam:
|
|
name: X-Original-URL
|
|
in: header
|
|
description: Redirection URL
|
|
required: true
|
|
style: simple
|
|
explode: true
|
|
schema:
|
|
type: string
|
|
forwardedMethodParam:
|
|
name: X-Forwarded-Method
|
|
in: header
|
|
description: Request Method
|
|
required: false
|
|
style: simple
|
|
explode: true
|
|
schema:
|
|
type: string
|
|
enum:
|
|
- "GET"
|
|
- "HEAD"
|
|
- "POST"
|
|
- "PUT"
|
|
- "PATCH"
|
|
- "DELETE"
|
|
- "TRACE"
|
|
- "CONNECT"
|
|
- "OPTIONS"
|
|
- "COPY"
|
|
- "LOCK"
|
|
- "MKCOL"
|
|
- "MOVE"
|
|
- "PROPFIND"
|
|
- "PROPPATCH"
|
|
- "UNLOCK"
|
|
forwardedProtoParam:
|
|
name: X-Forwarded-Proto
|
|
in: header
|
|
description: Redirection URL (Scheme / Protocol)
|
|
required: true
|
|
style: simple
|
|
explode: true
|
|
example: 'https'
|
|
schema:
|
|
type: string
|
|
forwardedHostParam:
|
|
name: X-Forwarded-Host
|
|
in: header
|
|
description: Redirection URL (Host)
|
|
required: true
|
|
style: simple
|
|
explode: true
|
|
example: '{{ .Domain | default "example.com" }}'
|
|
schema:
|
|
type: string
|
|
forwardedURIParam:
|
|
name: X-Forwarded-URI
|
|
in: header
|
|
description: Redirection URL (URI)
|
|
required: true
|
|
style: simple
|
|
explode: true
|
|
example: '/path/example'
|
|
schema:
|
|
type: string
|
|
forwardedForParam:
|
|
name: X-Forwarded-For
|
|
in: header
|
|
description: Clients IP address or IP address chain
|
|
required: false
|
|
style: simple
|
|
explode: true
|
|
example: '192.168.0.55,192.168.0.20'
|
|
schema:
|
|
type: string
|
|
autheliaURLParam:
|
|
name: X-Authelia-URL
|
|
in: header
|
|
description: Authelia Portal URL
|
|
required: false
|
|
style: simple
|
|
explode: true
|
|
example: '{{ .BaseURL | default "https://auth.example.com" }}'
|
|
schema:
|
|
type: string
|
|
authParam:
|
|
name: auth
|
|
in: query
|
|
description: Switch authorization header and prompt for basic auth
|
|
required: false
|
|
schema:
|
|
type: string
|
|
enum: ["basic"]
|
|
idRequiredParam:
|
|
name: id
|
|
in: query
|
|
description: The ID of what is being requested
|
|
required: true
|
|
schema:
|
|
type: string
|
|
schemas:
|
|
handlers.checkURIWithinDomainRequestBody:
|
|
type: object
|
|
properties:
|
|
uri:
|
|
type: string
|
|
example: 'https://secure.{{ .Domain | default "example.com" }}'
|
|
handlers.checkURIWithinDomainResponseBody:
|
|
type: object
|
|
properties:
|
|
ok:
|
|
type: boolean
|
|
example: true
|
|
description: If redirection URL is safe.
|
|
handlers.configuration.ConfigurationBody:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
available_methods:
|
|
type: array
|
|
description: List of available 2FA methods. If no methods exist 2FA is disabled.
|
|
items:
|
|
enum:
|
|
- "totp"
|
|
- "webauthn"
|
|
- "mobile_push"
|
|
example: [totp, webauthn, mobile_push]
|
|
handlers.configuration.PasswordPolicyConfigurationBody:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
mode:
|
|
type: string
|
|
description: The password policy mode.
|
|
enum:
|
|
- "disabled"
|
|
- "standard"
|
|
- "zxcvbn"
|
|
min_length:
|
|
type: integer
|
|
description: The minimum password length when using the standard mode.
|
|
max_length:
|
|
type: integer
|
|
description: The maximum password length when using the standard mode.
|
|
min_score:
|
|
type: integer
|
|
description: The minimum password score when using the zxcvbn mode.
|
|
require_uppercase:
|
|
type: boolean
|
|
description: If uppercase characters are required when using the standard mode.
|
|
require_lowercase:
|
|
type: boolean
|
|
description: If uppercase characters are required when using the standard mode.
|
|
require_number:
|
|
type: boolean
|
|
description: If numeric characters are required when using the standard mode.
|
|
require_special:
|
|
type: boolean
|
|
description: If special characters are required when using the standard mode.
|
|
handlers.DuoDeviceBody:
|
|
required:
|
|
- device
|
|
- method
|
|
type: object
|
|
properties:
|
|
device:
|
|
type: string
|
|
example: ABCDE123456789FGHIJK
|
|
method:
|
|
type: string
|
|
example: push
|
|
handlers.DuoDevicesResponse:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
result:
|
|
type: string
|
|
example: auth
|
|
devices:
|
|
type: array
|
|
items:
|
|
type: object
|
|
properties:
|
|
device:
|
|
type: string
|
|
example: ABCDE123456789FGHIJK
|
|
display_name:
|
|
type: string
|
|
example: iOS (+XX XXX XXX 123)
|
|
capabilities:
|
|
type: array
|
|
items:
|
|
type: string
|
|
example: push
|
|
handlers.bodyFirstFactorRequest:
|
|
required:
|
|
- username
|
|
- password
|
|
type: object
|
|
properties:
|
|
username:
|
|
type: string
|
|
example: john
|
|
password:
|
|
type: string
|
|
example: password
|
|
targetURL:
|
|
type: string
|
|
example: 'https://home.{{ .Domain | default "example.com" }}'
|
|
workflow:
|
|
type: string
|
|
example: openid_connect
|
|
workflowID:
|
|
type: string
|
|
format: uuid
|
|
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
|
|
example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c'
|
|
requestMethod:
|
|
type: string
|
|
example: GET
|
|
keepMeLoggedIn:
|
|
type: boolean
|
|
example: true
|
|
handlers.logoutRequestBody:
|
|
type: object
|
|
properties:
|
|
targetURL:
|
|
type: string
|
|
example: 'https://redirect.{{ .Domain | default "example.com" }}'
|
|
handlers.logoutResponseBody:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
safeTargetURL:
|
|
type: boolean
|
|
example: true
|
|
handlers.redirectResponse:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
redirect:
|
|
type: string
|
|
example: 'https://home.{{ .Domain | default "example.com" }}'
|
|
{{- if .PasswordReset }}
|
|
handlers.PasswordResetStep1RequestBody:
|
|
required:
|
|
- username
|
|
type: object
|
|
properties:
|
|
username:
|
|
type: string
|
|
example: john
|
|
handlers.PasswordResetStep2RequestBody:
|
|
required:
|
|
- password
|
|
type: object
|
|
properties:
|
|
password:
|
|
type: string
|
|
example: password
|
|
{{- end }}
|
|
{{- if .Duo }}
|
|
handlers.bodySignDuoRequest:
|
|
type: object
|
|
properties:
|
|
targetURL:
|
|
type: string
|
|
example: 'https://secure.{{ .Domain | default "example.com" }}'
|
|
passcode:
|
|
type: string
|
|
workflow:
|
|
type: string
|
|
example: openid_connect
|
|
workflowID:
|
|
type: string
|
|
format: uuid
|
|
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
|
|
example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c'
|
|
{{- end }}
|
|
handlers.StateResponse:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
username:
|
|
type: string
|
|
example: john
|
|
authentication_level:
|
|
type: integer
|
|
example: 1
|
|
default_redirection_url:
|
|
type: string
|
|
example: 'https://home.{{ .Domain | default "example.com" }}'
|
|
middlewares.ErrorResponse:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: KO
|
|
message:
|
|
type: string
|
|
example: Authentication failed, please retry later.
|
|
middlewares.IdentityVerificationFinishBody:
|
|
required:
|
|
- token
|
|
type: object
|
|
properties:
|
|
token:
|
|
type: string
|
|
example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MDc5MjU1OTYsImlzcyI6IkF1dGhlbGlhIiwiYWN0aW9uIjoiUmVzZXRQYXNzd29yZCIsInVzZXJuYW1lIjoiQW1pciJ9.636yqRrUCGCe4jsMCsonleX5CYWHncYqZum-YYb6VaY
|
|
middlewares.OkResponse:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
handlers.UserInfo:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
display_name:
|
|
type: string
|
|
example: John Doe
|
|
method:
|
|
type: string
|
|
enum:
|
|
- "totp"
|
|
- "webauthn"
|
|
- "mobile_push"
|
|
example: totp
|
|
has_webauthn:
|
|
type: boolean
|
|
example: false
|
|
has_totp:
|
|
type: boolean
|
|
example: true
|
|
has_duo:
|
|
type: boolean
|
|
example: true
|
|
handlers.UserInfo.MethodBody:
|
|
required:
|
|
- method
|
|
type: object
|
|
properties:
|
|
method:
|
|
type: string
|
|
enum:
|
|
- "totp"
|
|
- "webauthn"
|
|
- "mobile_push"
|
|
example: totp
|
|
{{- if .TOTP }}
|
|
handlers.UserInfoTOTP:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
period:
|
|
default: 30
|
|
description: The period defined in the users TOTP configuration
|
|
type: integer
|
|
example: 30
|
|
digits:
|
|
default: 6
|
|
description: The number of digits defined in the users TOTP configuration
|
|
type: integer
|
|
example: 6
|
|
handlers.bodySignTOTPRequest:
|
|
type: object
|
|
properties:
|
|
token:
|
|
type: string
|
|
example: '123456'
|
|
targetURL:
|
|
type: string
|
|
example: 'https://secure.{{ .Domain | default "example.com" }}'
|
|
workflow:
|
|
type: string
|
|
example: openid_connect
|
|
workflowID:
|
|
type: string
|
|
format: uuid
|
|
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
|
|
example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c'
|
|
handlers.TOTPKeyResponse:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
base32_secret:
|
|
type: string
|
|
example: 5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q
|
|
otpauth_url:
|
|
type: string
|
|
example: 'otpauth://totp/{{ .Domain | default "example.com" }}:john?algorithm=SHA1&digits=6&issuer=auth.{{ .Domain | default "example.com" }}&period=30&secret=5ZH7Y5CTFWOXN7EOLGBMMXADRNQFHVUDZSYKCN5HMFAIRSLAWY3Q'
|
|
{{- end }}
|
|
{{- if .WebAuthn }}
|
|
webauthn.PublicKeyCredential:
|
|
type: object
|
|
properties:
|
|
rawId:
|
|
type: string
|
|
format: byte
|
|
id:
|
|
type: string
|
|
type:
|
|
type: string
|
|
webauthn.AuthenticatorResponse:
|
|
type: object
|
|
properties:
|
|
clientDataJSON:
|
|
type: string
|
|
format: byte
|
|
webauthn.CredentialAttestationResponse:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.PublicKeyCredential'
|
|
- type: object
|
|
properties:
|
|
clientExtensionResults:
|
|
type: object
|
|
properties:
|
|
appidExclude:
|
|
type: boolean
|
|
response:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.AuthenticatorResponse'
|
|
- type: object
|
|
properties:
|
|
attestationObject:
|
|
type: string
|
|
format: byte
|
|
webauthn.CredentialAssertionResponse:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.PublicKeyCredential'
|
|
- type: object
|
|
properties:
|
|
response:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.AuthenticatorResponse'
|
|
- type: object
|
|
required: [authenticatorData, clientDataJSON, signature]
|
|
properties:
|
|
authenticatorData:
|
|
type: string
|
|
format: byte
|
|
clientDataJSON:
|
|
type: string
|
|
format: byte
|
|
clientExtensionResults:
|
|
type: object
|
|
properties:
|
|
appid:
|
|
type: boolean
|
|
example: false
|
|
signature:
|
|
type: string
|
|
format: byte
|
|
userHandle:
|
|
type: string
|
|
format: byte
|
|
workflow:
|
|
type: string
|
|
example: openid_connect
|
|
workflowID:
|
|
type: string
|
|
format: uuid
|
|
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
|
|
example: '3ebcfbc5-b0fd-4ee0-9d3c-080ae1e7298c'
|
|
webauthn.PublicKeyCredentialCreationOptions:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
publicKey:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.AttestationType'
|
|
- $ref: '#/components/schemas/webauthn.AuthenticatorSelectionCriteria'
|
|
- $ref: '#/components/schemas/webauthn.CredentialUserEntity'
|
|
- $ref: '#/components/schemas/webauthn.CredentialRPEntity'
|
|
- type: object
|
|
required:
|
|
- "challenge"
|
|
- "pubKeyCredParams"
|
|
properties:
|
|
challenge:
|
|
type: string
|
|
format: byte
|
|
pubKeyCredParams:
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- "alg"
|
|
- "type"
|
|
properties:
|
|
alg:
|
|
type: integer
|
|
type:
|
|
type: string
|
|
example: public-key
|
|
enum:
|
|
- "public-key"
|
|
timeout:
|
|
type: integer
|
|
example: 60000
|
|
excludeCredentials:
|
|
type: array
|
|
items:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.CredentialDescriptor'
|
|
extensions:
|
|
type: object
|
|
properties:
|
|
appidExclude:
|
|
type: string
|
|
example: '{{ .BaseURL }}'
|
|
webauthn.PublicKeyCredentialRequestOptions:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
publicKey:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.UserVerification'
|
|
- type: object
|
|
required:
|
|
- "challenge"
|
|
properties:
|
|
challenge:
|
|
type: string
|
|
timeout:
|
|
type: integer
|
|
example: 60000
|
|
rpId:
|
|
type: string
|
|
example: 'auth.{{ .Domain | default "example.com" }}'
|
|
allowCredentials:
|
|
type: array
|
|
items:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.CredentialDescriptor'
|
|
extensions:
|
|
type: object
|
|
properties:
|
|
appid:
|
|
type: string
|
|
example: '{{ .BaseURL }}'
|
|
webauthn.Transports:
|
|
type: object
|
|
properties:
|
|
transports:
|
|
type: array
|
|
items:
|
|
type: string
|
|
example:
|
|
- "usb"
|
|
- "nfc"
|
|
enum:
|
|
- "usb"
|
|
- "nfc"
|
|
- "ble"
|
|
- "internal"
|
|
webauthn.UserVerification:
|
|
type: object
|
|
properties:
|
|
userVerification:
|
|
type: string
|
|
example: preferred
|
|
enum:
|
|
- "required"
|
|
- "preferred"
|
|
- "discouraged"
|
|
webauthn.AttestationType:
|
|
type: object
|
|
properties:
|
|
attestation:
|
|
type: string
|
|
example: direct
|
|
enum:
|
|
- "none"
|
|
- "indirect"
|
|
- "direct"
|
|
webauthn.AuthenticatorSelectionCriteria:
|
|
type: object
|
|
properties:
|
|
authenticatorSelection:
|
|
type: object
|
|
properties:
|
|
authenticatorAttachment:
|
|
type: string
|
|
example: cross-platform
|
|
enum:
|
|
- "platform"
|
|
- "cross-platform"
|
|
residentKey:
|
|
type: string
|
|
example: discouraged
|
|
enum:
|
|
- "discouraged"
|
|
- "preferred"
|
|
- "required"
|
|
requireResidentKey:
|
|
type: boolean
|
|
webauthn.CredentialDescriptor:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.Transports'
|
|
- type: object
|
|
required:
|
|
- "id"
|
|
- "type"
|
|
properties:
|
|
id:
|
|
type: string
|
|
format: byte
|
|
type:
|
|
type: string
|
|
example: public-key
|
|
enum:
|
|
- "public-key"
|
|
webauthn.CredentialEntity:
|
|
type: object
|
|
required:
|
|
- "id"
|
|
- "name"
|
|
properties:
|
|
id:
|
|
type: string
|
|
name:
|
|
type: string
|
|
icon:
|
|
type: string
|
|
webauthn.CredentialRPEntity:
|
|
type: object
|
|
required:
|
|
- "rp"
|
|
properties:
|
|
rp:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.CredentialEntity'
|
|
webauthn.CredentialUserEntity:
|
|
type: object
|
|
required:
|
|
- "user"
|
|
properties:
|
|
user:
|
|
allOf:
|
|
- $ref: '#/components/schemas/webauthn.CredentialEntity'
|
|
- type: object
|
|
required:
|
|
- "displayName"
|
|
properties:
|
|
displayName:
|
|
type: string
|
|
webauthn.AuthenticationExtensionsClientOutputs:
|
|
type: object
|
|
properties:
|
|
clientExtensionResults:
|
|
type: object
|
|
properties:
|
|
appid:
|
|
type: boolean
|
|
example: true
|
|
appidExclude:
|
|
type: boolean
|
|
example: false
|
|
uvm:
|
|
type: array
|
|
items:
|
|
type: string
|
|
format: byte
|
|
credProps:
|
|
type: object
|
|
properties:
|
|
rk:
|
|
type: boolean
|
|
example: false
|
|
largeBlob:
|
|
type: object
|
|
properties:
|
|
supported:
|
|
type: boolean
|
|
example: false
|
|
blob:
|
|
type: string
|
|
written:
|
|
type: boolean
|
|
example: false
|
|
{{- end }}
|
|
{{- if .OpenIDConnect }}
|
|
openid.request.consent:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
client_id:
|
|
type: string
|
|
description: The identifier of the client for the user to provide consent for.
|
|
example: 'app'
|
|
client_description:
|
|
description: The descriptive name of the client for the user to provide consent for.
|
|
type: string
|
|
example: 'App Platform'
|
|
scopes:
|
|
description: The list of the requested scopes for the user to provide consent for.
|
|
type: array
|
|
items:
|
|
type: string
|
|
enum:
|
|
- "openid"
|
|
- "offline_access"
|
|
- "groups"
|
|
- "email"
|
|
- "profile"
|
|
audience:
|
|
description: The list of the requested audiences for the user to provide consent for.
|
|
type: array
|
|
items:
|
|
type: string
|
|
pre_configuration:
|
|
description: Indicates if this client supports pre-configuration.
|
|
type: boolean
|
|
example: true
|
|
openid.response.consent:
|
|
type: object
|
|
properties:
|
|
status:
|
|
type: string
|
|
example: OK
|
|
data:
|
|
type: object
|
|
properties:
|
|
id:
|
|
description: The identifier of the consent session.
|
|
type: string
|
|
format: uuid
|
|
pattern: '^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$'
|
|
example: '713ef767-81bc-4a27-9b83-5fe2e101b2b4'
|
|
client_id:
|
|
description: The identifier of the client for the user to provide consent for.
|
|
type: string
|
|
example: 'app'
|
|
consent:
|
|
description: Indicates if the user consented to the consent request.
|
|
type: boolean
|
|
example: true
|
|
pre_configure:
|
|
description: Indicates if the user consented to pre-configuration.
|
|
type: boolean
|
|
example: true
|
|
openid.spec.Metadata.OAuth2AuthorizationServer:
|
|
type: object
|
|
required:
|
|
- issuer
|
|
- authorization_endpoint
|
|
- subject_types_supported
|
|
- response_types_supported
|
|
- require_pushed_authorization_requests
|
|
properties:
|
|
authorization_endpoint:
|
|
description: >
|
|
URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core].
|
|
See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/authorization'
|
|
claims_supported:
|
|
description: >
|
|
JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply
|
|
values for. Note that for privacy or other reasons, this might not be an exhaustive list.
|
|
type: array
|
|
example:
|
|
- "amr"
|
|
- "aud"
|
|
- "azp"
|
|
- "client_id"
|
|
- "exp"
|
|
- "iat"
|
|
- "iss"
|
|
- "jti"
|
|
- "rat"
|
|
- "sub"
|
|
- "auth_time"
|
|
- "nonce"
|
|
- "email"
|
|
- "email_verified"
|
|
- "alt_emails"
|
|
- "groups"
|
|
- "preferred_username"
|
|
- "name"
|
|
items:
|
|
$ref: '#/components/schemas/openid.implementation.Claims.Array'
|
|
code_challenge_methods_supported:
|
|
description: >
|
|
JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization
|
|
server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section
|
|
4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code
|
|
Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support
|
|
PKCE. See Also: PKCE: https://datatracker.ietf.org/doc/html/rfc7636 IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
|
|
type: array
|
|
example: ["S256", "none"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.CodeChallengeMethod'
|
|
grant_types_supported:
|
|
type: array
|
|
description: >
|
|
JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID
|
|
Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant
|
|
Types. If omitted, the default value is ["authorization_code", "implicit"].
|
|
example: ["authorization_code", "implicit"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.GrantType'
|
|
introspection_endpoint:
|
|
description: >
|
|
URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0 Token
|
|
Introspection: https://datatracker.ietf.org/doc/html/rfc7662
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/introspection'
|
|
introspection_endpoint_auth_methods_supported:
|
|
description: >
|
|
JSON array containing a list of client authentication methods supported by this introspection endpoint. The
|
|
valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
|
|
Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access Token
|
|
Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section 7.2.) If
|
|
omitted, the set of supported authentication methods MUST be determined by other means. See Also:
|
|
IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
|
|
OAuth 2.0 Authorization Server Metadata - Updated Registration Instructions:
|
|
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-7.2
|
|
type: array
|
|
example: ["client_secret_post"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
|
|
introspection_endpoint_auth_signing_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection
|
|
endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint
|
|
for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be
|
|
present if either of these authentication methods are specified in the
|
|
"introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is
|
|
omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["RS256"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.jws'
|
|
issuer:
|
|
description:
|
|
URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
|
|
If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned
|
|
by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
|
|
type: string
|
|
example: '{{ .BaseURL }}'
|
|
jwks_uri:
|
|
description: >
|
|
URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate
|
|
signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs
|
|
to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)
|
|
parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
|
|
Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT
|
|
RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of
|
|
keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
|
|
type: string
|
|
example: '{{ .BaseURL }}jwks.json'
|
|
op_policy_uri:
|
|
description:
|
|
URL that the OpenID Provider provides to the person registering the Client to read about the OP's
|
|
requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD
|
|
display this URL to the person registering the Client if it is given.
|
|
type: string
|
|
op_tos_uri:
|
|
description: >
|
|
URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's
|
|
terms of service. The registration process SHOULD display this URL to the person registering the Client if
|
|
it is given.
|
|
type: string
|
|
pushed_authorization_request_endpoint:
|
|
description: >
|
|
The URL of the pushed authorization request endpoint at which a client can post an authorization request to
|
|
exchange for a "request_uri" value usable at the authorization server.
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/par'
|
|
registration_endpoint:
|
|
description: >
|
|
URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also:
|
|
OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/registration'
|
|
require_pushed_authorization_requests:
|
|
description: >
|
|
Boolean parameter indicating whether the authorization server accepts authorization request data only via
|
|
PAR. If omitted, the default value is "false".
|
|
type: boolean
|
|
example: false
|
|
response_modes_supported:
|
|
description: >
|
|
JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in
|
|
OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic
|
|
OpenID Providers is ["query", "fragment"].
|
|
type: array
|
|
example: ["query", "fragment"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ResponseMode'
|
|
response_types_supported:
|
|
description: >
|
|
JSON array containing a list of the OAuth 2.0 response_type values that this OP supports.
|
|
Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values.
|
|
type: array
|
|
example: ["code", "id_token", "token id_token"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ResponseType'
|
|
revocation_endpoint:
|
|
description: >
|
|
URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009].
|
|
See Also: OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/revocation'
|
|
revocation_endpoint_auth_methods_supported:
|
|
description: >
|
|
JSON array containing a list of client authentication methods supported by this revocation endpoint. The
|
|
valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
|
|
Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic"
|
|
-- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. See Also:
|
|
IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
|
|
OAuth 2.0 - Client Password: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
|
|
type: array
|
|
example: ["client_secret_post"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
|
|
revocation_endpoint_auth_signing_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation
|
|
endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for
|
|
the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if
|
|
either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported"
|
|
entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used.
|
|
See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["RS256"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.jws'
|
|
scopes_supported:
|
|
description: >
|
|
JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server
|
|
MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values even
|
|
when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if supported.
|
|
See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
|
|
type: array
|
|
example:
|
|
- "openid"
|
|
- "offline_access"
|
|
- "profile"
|
|
- "email"
|
|
- "groups"
|
|
items:
|
|
$ref: '#/components/schemas/openid.implementation.Scopes.Object'
|
|
service_documentation:
|
|
description: >
|
|
URL of a page containing human-readable information that developers might want or need to know when using
|
|
the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration,
|
|
then information on how to register Clients needs to be provided in this documentation.
|
|
type: string
|
|
example: 'https://authelia.com'
|
|
subject_types_supported:
|
|
description: >
|
|
JSON array containing a list of the Subject Identifier types that this OP supports.
|
|
Valid types include pairwise and public.
|
|
type: array
|
|
example: ["public", "pairwise"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.SubjectIdentifier'
|
|
token_endpoint:
|
|
description: >
|
|
URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is
|
|
used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/token'
|
|
token_endpoint_auth_methods_supported:
|
|
description: >
|
|
JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options
|
|
are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section
|
|
9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If
|
|
omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section
|
|
2.3.1 of OAuth 2.0 [RFC6749]. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749
|
|
OpenID.Core Section 9: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
|
|
type: array
|
|
example: ["client_secret_post"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
|
|
token_endpoint_auth_signing_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for
|
|
the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt
|
|
and client_secret_jwt authentication methods. Servers SHOULD support RS256. The value none MUST NOT be used.
|
|
See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519'
|
|
type: array
|
|
example: ["RS256"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.jws'
|
|
ui_locales_supported:
|
|
type: array
|
|
description: >
|
|
Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646]
|
|
language tag values. See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646
|
|
example: ["en-US"]
|
|
items:
|
|
type: string
|
|
openid.spec.Metadata.OpenIDConfiguration:
|
|
type: object
|
|
required:
|
|
- "issuer"
|
|
- "authorization_endpoint"
|
|
- "subject_types_supported"
|
|
- "response_types_supported"
|
|
- "require_pushed_authorization_requests"
|
|
- "request_uri_parameter_supported"
|
|
- "require_request_uri_registration"
|
|
- "claims_parameter_supported"
|
|
- "frontchannel_logout_supported"
|
|
- "frontchannel_logout_session_supported"
|
|
- "backchannel_logout_supported"
|
|
- "backchannel_logout_session_supported"
|
|
properties:
|
|
acr_values_supported:
|
|
description:
|
|
JSON array containing a list of the Authentication Context Class References that this OP supports.
|
|
type: array
|
|
items:
|
|
type: string
|
|
authorization_endpoint:
|
|
description: >
|
|
URL of the OP''s OAuth 2.0 Authorization Endpoint [OpenID.Core].
|
|
See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/authorization'
|
|
backchannel_logout_session_supported:
|
|
description: >
|
|
Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify
|
|
the RP session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP.
|
|
If omitted, the default value is false.
|
|
type: boolean
|
|
example: false
|
|
backchannel_logout_supported:
|
|
description: >
|
|
Boolean value specifying whether the OP supports back-channel logout, with true indicating support. If
|
|
omitted, the default value is false.
|
|
type: boolean
|
|
example: false
|
|
claim_types_supported:
|
|
description: >
|
|
JSON array containing a list of the Claim Types that the OpenID Provider supports. These Claim Types are
|
|
described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core]. Values defined by this specification are
|
|
normal, aggregated, and distributed. If omitted, the implementation supports only normal Claims. See Also:
|
|
OpenID.Core Section 5.6: https://openid.net/specs/openid-connect-core-1_0.html#ClaimTypes
|
|
type: array
|
|
example: ["normal"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ClaimType'
|
|
claims_locales_supported:
|
|
description: >
|
|
Languages and scripts supported for values in Claims being returned, represented as a JSON array of BCP47
|
|
[RFC5646] language tag values. Not all languages and scripts are necessarily supported for all Claim values.
|
|
See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646
|
|
type: array
|
|
example: ["en-US"]
|
|
items:
|
|
type: string
|
|
claims_parameter_supported:
|
|
description: >
|
|
Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support.
|
|
If omitted, the default value is false.
|
|
type: boolean
|
|
example: false
|
|
claims_supported:
|
|
description: >
|
|
JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply
|
|
values for. Note that for privacy or other reasons, this might not be an exhaustive list.
|
|
type: array
|
|
example:
|
|
- "amr"
|
|
- "aud"
|
|
- "azp"
|
|
- "client_id"
|
|
- "exp"
|
|
- "iat"
|
|
- "iss"
|
|
- "jti"
|
|
- "rat"
|
|
- "sub"
|
|
- "auth_time"
|
|
- "nonce"
|
|
- "email"
|
|
- "email_verified"
|
|
- "alt_emails"
|
|
- "groups"
|
|
- "preferred_username"
|
|
- "name"
|
|
items:
|
|
$ref: '#/components/schemas/openid.implementation.Claims.Array'
|
|
code_challenge_methods_supported:
|
|
description: >
|
|
JSON array containing a list of PKCE [RFC7636] code challenge methods supported by this authorization
|
|
server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section
|
|
4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code
|
|
Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support
|
|
PKCE. See Also: PKCE: https://datatracker.ietf.org/doc/html/rfc7636 IANA.OAuth.Parameters:
|
|
https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
|
|
type: array
|
|
example: ["S256", "plain"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.CodeChallengeMethod'
|
|
display_values_supported:
|
|
description: >
|
|
JSON array containing a list of the display parameter values that the OpenID Provider supports. These values
|
|
are described in Section 3.1.2.1 of OpenID Connect Core 1.0 [OpenID.Core]. See Also: OpenID.Core Section
|
|
3.1.2.1: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
|
|
type: array
|
|
example: ["page"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.DisplayType'
|
|
frontchannel_logout_session_supported:
|
|
description: >
|
|
Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to
|
|
identify the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is
|
|
also included in ID Tokens issued by the OP. If omitted, the default value is false.
|
|
type: boolean
|
|
example: false
|
|
frontchannel_logout_supported:
|
|
description: >
|
|
Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support. If
|
|
omitted, the default value is false.
|
|
type: boolean
|
|
example: false
|
|
grant_types_supported:
|
|
description: >
|
|
JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID
|
|
Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant
|
|
Types. If omitted, the default value is ["authorization_code", "implicit"].
|
|
type: array
|
|
example: ["authorization_code", "implicit"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.GrantType'
|
|
id_token_encryption_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for the ID
|
|
Token to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516 JWT:
|
|
https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["A256GCMKW"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWE.alg'
|
|
id_token_encryption_enc_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for the ID
|
|
Token to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
|
|
JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["A256GCM"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWE.enc'
|
|
id_token_signing_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token
|
|
to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported,
|
|
but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint
|
|
(such as when using the Authorization Code Flow).
|
|
See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["RS256"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWS.None'
|
|
introspection_endpoint:
|
|
description: >
|
|
URL of the authorization server''s OAuth 2.0 introspection endpoint [RFC7662]. See Also: OAuth 2.0
|
|
Token Introspection: https://datatracker.ietf.org/doc/html/rfc7662'
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/introspection'
|
|
introspection_endpoint_auth_methods_supported:
|
|
description: >
|
|
JSON array containing a list of client authentication methods supported by this introspection endpoint. The
|
|
valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
|
|
Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access
|
|
Token Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section
|
|
7.2.) If omitted, the set of supported authentication methods MUST be determined by other means. See Also:
|
|
IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
|
|
OAuth 2.0 Authorization Server Metadata - Updated Registration Instructions:
|
|
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-discovery-10#section-7.2
|
|
type: array
|
|
example: ["client_secret_post"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
|
|
introspection_endpoint_auth_signing_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection
|
|
endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint
|
|
for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be
|
|
present if either of these authentication methods are specified in the
|
|
"introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is
|
|
omitted. The value "none" MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["RS256"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.jws'
|
|
issuer:
|
|
description: >
|
|
URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
|
|
If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned
|
|
by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
|
|
type: string
|
|
example: '{{ .BaseURL }}'
|
|
jwks_uri:
|
|
description: >
|
|
URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate
|
|
signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs
|
|
to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)
|
|
parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
|
|
Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT
|
|
RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of
|
|
keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
|
|
type: string
|
|
example: '{{ .BaseURL }}jwks.json'
|
|
op_policy_uri:
|
|
description: >
|
|
URL that the OpenID Provider provides to the person registering the Client to read about the OP's
|
|
requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD
|
|
display this URL to the person registering the Client if it is given.
|
|
type: string
|
|
op_tos_uri:
|
|
description: >
|
|
URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's
|
|
terms of service. The registration process SHOULD display this URL to the person registering the Client
|
|
if it is given.
|
|
type: string
|
|
pushed_authorization_request_endpoint:
|
|
description: >
|
|
The URL of the pushed authorization request endpoint at which a client can post an authorization request to
|
|
exchange for a "request_uri" value usable at the authorization server.
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/par'
|
|
registration_endpoint:
|
|
description: >
|
|
URL of the authorization server''s OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. See Also:
|
|
OAuth 2.0 Dynamic Client Registration Protocol: https://datatracker.ietf.org/doc/html/rfc7591
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/registration'
|
|
request_object_encryption_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for Request
|
|
Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by
|
|
reference. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
|
|
type: array
|
|
example: ["A256GCMKW"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWE.alg'
|
|
request_object_encryption_enc_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for Request
|
|
Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by
|
|
reference. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
|
|
JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["A256GCM"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWE.enc'
|
|
request_object_signing_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request
|
|
Objects, which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are
|
|
used both when the Request Object is passed by value (using the request parameter) and when it is passed by
|
|
reference (using the request_uri parameter). Servers SHOULD support none and RS256.
|
|
type: array
|
|
example: ["RS256"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWS.None'
|
|
request_uri_parameter_supported:
|
|
description: >
|
|
Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating
|
|
support. If omitted, the default value is true.
|
|
type: boolean
|
|
example: true
|
|
require_pushed_authorization_requests:
|
|
description: >
|
|
Boolean parameter indicating whether the authorization server accepts authorization request data only via
|
|
PAR. If omitted, the default value is "false".
|
|
type: boolean
|
|
example: false
|
|
require_request_uri_registration:
|
|
description: >
|
|
Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the
|
|
request_uris registration parameter. Pre-registration is REQUIRED when the value is true. If omitted, the
|
|
default value is false.
|
|
type: boolean
|
|
example: false
|
|
response_modes_supported:
|
|
description: >
|
|
JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in
|
|
OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic
|
|
OpenID Providers is ["query", "fragment"].
|
|
type: array
|
|
example: ["query", "fragment"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ResponseMode'
|
|
response_types_supported:
|
|
description: >
|
|
JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID
|
|
Providers MUST support the code, id_token, and the token id_token Response Type values.
|
|
type: array
|
|
example: ["code", "id_token", "token id_token"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ResponseType'
|
|
revocation_endpoint:
|
|
description: >
|
|
URL of the authorization server''s OAuth 2.0 revocation endpoint [RFC7009]. See Also:
|
|
OAuth 2.0 Token Revocation: https://datatracker.ietf.org/doc/html/rfc7009
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/revocation'
|
|
revocation_endpoint_auth_methods_supported:
|
|
description: >
|
|
JSON array containing a list of client authentication methods supported by this revocation endpoint. The
|
|
valid client authentication method values are those registered in the IANA "OAuth Token Endpoint
|
|
Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic"
|
|
-- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
|
|
See Also: IANA.OAuth.Parameters: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
|
|
OAuth 2.0 - Client Password: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
|
|
type: array
|
|
example: ["client_secret_basic"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
|
|
revocation_endpoint_auth_signing_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation
|
|
endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for
|
|
the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if
|
|
either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported"
|
|
entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used.
|
|
See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["RS256"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.jws'
|
|
scopes_supported:
|
|
description: >
|
|
JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports.
|
|
The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope
|
|
values even when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if
|
|
supported. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749 OpenID.Core:
|
|
https://openid.net/specs/openid-connect-core-1_0.html
|
|
type: array
|
|
example:
|
|
- "openid"
|
|
- "offline_access"
|
|
- "profile"
|
|
- "email"
|
|
- "groups"
|
|
items:
|
|
$ref: '#/components/schemas/openid.implementation.Scopes.Object'
|
|
service_documentation:
|
|
description: >
|
|
URL of a page containing human-readable information that developers might want or need to know when using
|
|
the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration,
|
|
then information on how to register Clients needs to be provided in this documentation.
|
|
type: string
|
|
example: 'https://www.authelia.com'
|
|
subject_types_supported:
|
|
description: >
|
|
JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include
|
|
pairwise and public.
|
|
type: array
|
|
example: ["public", "pairwise"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.SubjectIdentifier'
|
|
token_endpoint:
|
|
description: >
|
|
URL of the OP''s OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is
|
|
used. See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/token'
|
|
token_endpoint_auth_methods_supported:
|
|
description: >
|
|
JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options
|
|
are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section
|
|
9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If
|
|
omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section
|
|
2.3.1 of OAuth 2.0 [RFC6749]. See Also: OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749
|
|
OpenID.Core Section 9: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
|
|
type: array
|
|
example: ["client_secret_post"]
|
|
items:
|
|
$ref: '#/components/schemas/openid.spec.ClientAuthMethod'
|
|
token_endpoint_auth_signing_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint
|
|
for the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the
|
|
private_key_jwt and client_secret_jwt authentication methods. Servers SHOULD support RS256.
|
|
The value none MUST NOT be used. See Also: JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["RS256"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.jws'
|
|
ui_locales_supported:
|
|
description: >
|
|
Languages and scripts supported for the user interface, represented as a JSON array of BCP47
|
|
[RFC5646] language tag values. See Also: BCP47: https://datatracker.ietf.org/doc/html/rfc5646
|
|
type: array
|
|
example: ["en-US"]
|
|
items:
|
|
type: string
|
|
userinfo_encryption_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWE [JWE] encryption algorithms (alg values) [JWA] supported by the
|
|
UserInfo Endpoint to encode the Claims in a JWT [JWT]. See Also: JWE:
|
|
https://datatracker.ietf.org/doc/html/rfc7516 JWA: https://datatracker.ietf.org/doc/html/rfc7518
|
|
JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["A256GCMKW"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWE.alg'
|
|
userinfo_encryption_enc_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWE encryption algorithms (enc values) [JWA] supported by the UserInfo
|
|
Endpoint to encode the Claims in a JWT [JWT]. See Also: JWE: https://datatracker.ietf.org/doc/html/rfc7516
|
|
JWA: https://datatracker.ietf.org/doc/html/rfc7518 JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["A256GCM"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWE.enc'
|
|
userinfo_endpoint:
|
|
description: >
|
|
URL of the OP''s UserInfo Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port,
|
|
path, and query parameter components.
|
|
See Also: OpenID.Core: https://openid.net/specs/openid-connect-core-1_0.html
|
|
type: string
|
|
example: '{{ .BaseURL }}api/oidc/userinfo'
|
|
userinfo_signing_alg_values_supported:
|
|
description: >
|
|
JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the
|
|
UserInfo Endpoint to encode the Claims in a JWT [JWT]. The value none MAY be included. See Also:
|
|
JWS: https://datatracker.ietf.org/doc/html/rfc7515 JWA: https://datatracker.ietf.org/doc/html/rfc7518
|
|
JWT: https://datatracker.ietf.org/doc/html/rfc7519
|
|
type: array
|
|
example: ["none", "RS256"]
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWS.None'
|
|
openid.implementation.Claims.Array:
|
|
type: array
|
|
items:
|
|
type: string
|
|
enum:
|
|
- "amr"
|
|
- "aud"
|
|
- "azp"
|
|
- "client_id"
|
|
- "exp"
|
|
- "iat"
|
|
- "iss"
|
|
- "jti"
|
|
- "rat"
|
|
- "sub"
|
|
- "auth_time"
|
|
- "nonce"
|
|
- "email"
|
|
- "email_verified"
|
|
- "alt_emails"
|
|
- "groups"
|
|
- "preferred_username"
|
|
- "name"
|
|
openid.implementation.Claims.Object:
|
|
description: OpenID Connect 1.0 User Claims.
|
|
type: object
|
|
properties:
|
|
amr:
|
|
type: array
|
|
items:
|
|
type: string
|
|
enum:
|
|
- "mfa"
|
|
- "mca"
|
|
- "user"
|
|
- "pin"
|
|
- "pwd"
|
|
- "otp"
|
|
- "hwk"
|
|
- "sms"
|
|
aud:
|
|
type: array
|
|
items:
|
|
type: string
|
|
azp:
|
|
type: string
|
|
client_id:
|
|
type: string
|
|
scope:
|
|
type: string
|
|
scp:
|
|
type: array
|
|
items:
|
|
type: string
|
|
exp:
|
|
type: integer
|
|
iat:
|
|
type: integer
|
|
iss:
|
|
type: string
|
|
jti:
|
|
type: string
|
|
rat:
|
|
type: integer
|
|
sub:
|
|
type: string
|
|
auth_time:
|
|
type: integer
|
|
nonce:
|
|
type: string
|
|
email:
|
|
type: string
|
|
email_verified:
|
|
type: boolean
|
|
alt_emails:
|
|
type: array
|
|
items:
|
|
type: string
|
|
groups:
|
|
type: array
|
|
items:
|
|
type: string
|
|
preferred_username:
|
|
type: string
|
|
name:
|
|
type: string
|
|
openid.implementation.Scopes.Object:
|
|
description: The scope.
|
|
type: string
|
|
oneOf:
|
|
- $ref: '#/components/schemas/openid.spec.Scopes'
|
|
- type: string
|
|
enum:
|
|
- "groups"
|
|
openid.spec.Scopes:
|
|
type: string
|
|
enum:
|
|
- "openid"
|
|
- "offline_access"
|
|
- "profile"
|
|
- "email"
|
|
- "address"
|
|
- "phone"
|
|
openid.spec.IntrospectionRequest:
|
|
required:
|
|
- "token"
|
|
type: object
|
|
properties:
|
|
token:
|
|
description: >
|
|
The string value of the token. For access tokens, this
|
|
is the "access_token" value returned from the token endpoint
|
|
defined in OAuth 2.0 [RFC6749], Section 5.1. For refresh tokens,
|
|
this is the "refresh_token" value returned from the token endpoint
|
|
as defined in OAuth 2.0 [RFC6749], Section 5.1. Other token types
|
|
are outside the scope of this specification.
|
|
example: 'authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn'
|
|
type: string
|
|
token_type_hint:
|
|
description: >
|
|
A hint about the type of the token submitted for
|
|
introspection. The protected resource MAY pass this parameter to
|
|
help the authorization server optimize the token lookup. If the
|
|
server is unable to locate the token using the given hint, it MUST
|
|
extend its search across all of its supported token types. An
|
|
authorization server MAY ignore this parameter, particularly if it
|
|
is able to detect the token type automatically. Values for this
|
|
field are defined in the "OAuth Token Type Hints" registry defined
|
|
in OAuth Token Revocation [RFC7009].
|
|
enum:
|
|
- "access_token"
|
|
- "refresh_token"
|
|
example: 'access_token'
|
|
type: string
|
|
openid.spec.AccessRequest.ClientAuth:
|
|
oneOf:
|
|
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth.Base'
|
|
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth.Secret'
|
|
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth.JWT'
|
|
openid.spec.AccessRequest.ClientAuth.Base:
|
|
required:
|
|
- "client_id"
|
|
type: object
|
|
properties:
|
|
client_id:
|
|
description: >
|
|
REQUIRED if the client is not authenticating with the authorization server as described in
|
|
Section 3.2.1. of [RFC6749]. The client identifier as described in Section 2.2 of [RFC6749].
|
|
example: 'my_client'
|
|
type: string
|
|
openid.spec.AccessRequest.ClientAuth.Secret:
|
|
required:
|
|
- "client_secret"
|
|
type: object
|
|
properties:
|
|
client_secret:
|
|
description: >
|
|
REQUIRED. The client secret. The client MAY omit the
|
|
parameter if the client secret is an empty string.
|
|
format: password
|
|
type: string
|
|
openid.spec.AccessRequest.ClientAuth.JWT:
|
|
allOf:
|
|
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth.Base'
|
|
- type: object
|
|
required:
|
|
- "client_assertion"
|
|
- "client_assertion_type"
|
|
properties:
|
|
client_assertion:
|
|
description: >
|
|
The value of the client_assertion_type parameter MUST be
|
|
"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
|
|
enum:
|
|
- "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
|
|
example: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
|
|
type: string
|
|
client_assertion_type:
|
|
description: >
|
|
A JWT signed with HS256 using the client secret value or RS256 using a registered public key.
|
|
Theoretically a properly formed JWT signed using HS256 with the client secret as the HMAC key should
|
|
work but this has not been tested.
|
|
format: password
|
|
type: string
|
|
openid.spec.AccessRequest.AuthorizationCodeFlow:
|
|
allOf:
|
|
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
|
|
- type: object
|
|
required:
|
|
- "code"
|
|
- "grant_type"
|
|
properties:
|
|
grant_type:
|
|
description: Value MUST be set to "code".
|
|
enum:
|
|
- "authorization_code"
|
|
type: string
|
|
code:
|
|
description: The Authorization Code.
|
|
example: 'authelia_ac_1j2kn3knj12n3kj12n'
|
|
type: string
|
|
code_verifier:
|
|
description: The Authorization Code Verifier (PKCE).
|
|
example: '88a25754f7c0b3b3b88cf6cd4e29e8356b160524fdc1cb329a94471825628fd3'
|
|
type: string
|
|
redirect_uri:
|
|
description: The original Redirect URI used in the Authorization Request.
|
|
example: 'https://app.{{ .Domain | default "example.com" }}/oidc/callback'
|
|
type: string
|
|
openid.spec.AccessRequest.DeviceCodeFlow:
|
|
allOf:
|
|
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
|
|
- type: object
|
|
required:
|
|
- "grant_type"
|
|
- "device_code"
|
|
properties:
|
|
grant_type:
|
|
description: Value MUST be set to "urn:ietf:params:oauth:grant-type:device_code".
|
|
enum:
|
|
- "urn:ietf:params:oauth:grant-type:device_code"
|
|
type: string
|
|
device_code:
|
|
description: The Device Authorization Code.
|
|
example: 'authelia_dc_mn123kjn12kj3123njk'
|
|
type: string
|
|
openid.spec.AccessRequest.RefreshTokenFlow:
|
|
allOf:
|
|
- $ref: '#/components/schemas/openid.spec.AccessRequest.ClientAuth'
|
|
- type: object
|
|
required:
|
|
- "grant_type"
|
|
- "device_code"
|
|
properties:
|
|
grant_type:
|
|
description: Value MUST be set to "refresh_token".
|
|
enum:
|
|
- "refresh_token"
|
|
type: string
|
|
refresh_token:
|
|
description: The Refresh Token.
|
|
example: 'authelia_rt_1n2j3kihn12kj3n12k'
|
|
type: string
|
|
scope:
|
|
description: >
|
|
The scope of the access request as described by
|
|
Section 3.3. The requested scope MUST NOT include any scope
|
|
not originally granted by the resource owner, and if omitted is
|
|
treated as equal to the scope originally granted by the
|
|
resource owner.
|
|
example: 'openid profile groups'
|
|
type: string
|
|
openid.spec.AccessResponse:
|
|
type: object
|
|
required:
|
|
- "access_token"
|
|
- "token_type"
|
|
- "expires_in"
|
|
properties:
|
|
access_token:
|
|
description: The access token issued by the authorization server.
|
|
example: 'authelia_at_cr4i4EtTn2F4k6mX4XzxbsBewkxCGn'
|
|
type: string
|
|
id_token:
|
|
description: The id token issued by the authorization server.
|
|
example: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
|
|
type: string
|
|
refresh_token:
|
|
description: >
|
|
The refresh token, which can be used to obtain new access tokens using the
|
|
same authorization grant as described in Section 6.
|
|
example: 'authelia_rt_kGBoSMbfVGP2RR6Kvujv3Xg7uXV2i'
|
|
type: string
|
|
token_type:
|
|
description: >
|
|
The access token type provides the client with the information
|
|
required to successfully utilize the access token to make a protected
|
|
resource request (along with type-specific attributes). The client
|
|
MUST NOT use an access token if it does not understand the token
|
|
type.
|
|
enum:
|
|
- "bearer"
|
|
example: 'bearer'
|
|
type: string
|
|
expires_in:
|
|
description: >
|
|
The lifetime in seconds of the access token. For
|
|
example, the value "3600" denotes that the access token will
|
|
expire in one hour from the time the response was generated.
|
|
If omitted, the authorization server SHOULD provide the
|
|
expiration time via other means or document the default value.
|
|
example: 3600
|
|
type: integer
|
|
state:
|
|
description: Exactly the state value passed in the authorization request if present.
|
|
example: '5dVZhNfri5XZS6wadskuzUk4MHYCvEcUgidjMeBjsktAhY7EKB'
|
|
type: string
|
|
scope:
|
|
description: >
|
|
The scope of the access token as described by Section 3.3 if it differs from the requested scope.
|
|
example: 'openid profile groups'
|
|
type: string
|
|
openid.spec.AuthorizeRequest:
|
|
type: object
|
|
required:
|
|
- "scope"
|
|
- "response_type"
|
|
- "client_id"
|
|
- "redirect_uri"
|
|
properties:
|
|
scope:
|
|
description: The requested scope.
|
|
example: 'openid profile groups'
|
|
type: string
|
|
response_type:
|
|
$ref: '#/components/schemas/openid.spec.ResponseType'
|
|
client_id:
|
|
description: The OAuth 2.0 client identifier.
|
|
example: 'app'
|
|
type: string
|
|
redirect_uri:
|
|
description: >
|
|
Redirection URI to which the response will be sent. This URI MUST exactly match one of the
|
|
Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching
|
|
performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this
|
|
flow, the Redirection URI SHOULD use the https scheme; however, it MAY use the http scheme, provided
|
|
that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0, and provided the OP
|
|
allows the use of http Redirection URIs in this case. The Redirection URI MAY use an alternate
|
|
scheme, such as one that is intended to identify a callback into a native application.
|
|
example: 'https://app.{{ .Domain | default "example.com" }}'
|
|
type: string
|
|
state:
|
|
description: >
|
|
Opaque value used to maintain state between the request and the callback. Typically, Cross-Site
|
|
Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this
|
|
parameter with a browser cookie.
|
|
example: 'oV84Vsy7wyCgRk2h4aZBmXZq4q3g2f'
|
|
type: string
|
|
response_mode:
|
|
$ref: '#/components/schemas/openid.spec.ResponseMode'
|
|
nonce:
|
|
description: >
|
|
String value used to associate a Client session with an ID Token, and to mitigate replay attacks.
|
|
The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient
|
|
entropy MUST be present in the nonce values used to prevent attackers from guessing values. For
|
|
implementation notes, see Section 15.5.2.
|
|
example: 'TRMLqchoKGQNcooXvBvUy9PtmLdJGf'
|
|
type: string
|
|
display:
|
|
$ref: '#/components/schemas/openid.spec.DisplayType'
|
|
prompt:
|
|
description: >
|
|
Not Supported: Space delimited, case sensitive list of ASCII string values that specifies whether
|
|
the Authorization Server prompts the End-User for reauthentication and consent.
|
|
enum:
|
|
- "none"
|
|
- "login"
|
|
- "consent"
|
|
- "select_account"
|
|
- "login consent"
|
|
- "login select_account"
|
|
- "consent select_account"
|
|
example: 'consent'
|
|
type: string
|
|
max_age:
|
|
description: >
|
|
Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the
|
|
End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the
|
|
OP MUST attempt to actively re-authenticate the End-User. (The max_age request parameter corresponds
|
|
to the OpenID 2.0 PAPE [OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID
|
|
Token returned MUST include an auth_time Claim Value.
|
|
type: integer
|
|
ui_locales:
|
|
description: >
|
|
Not Supported: End-User's preferred languages and scripts for the user interface, represented as a
|
|
space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance,
|
|
the value "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without
|
|
a region designation), followed by English (without a region designation). An error SHOULD NOT
|
|
result if some or all of the requested locales are not supported by the OpenID Provider.
|
|
type: string
|
|
claims_locales:
|
|
description: >
|
|
Not Supported: End-User's preferred languages and scripts for Claims being returned, represented as
|
|
a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error
|
|
SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.
|
|
type: string
|
|
id_token_hint:
|
|
description: >
|
|
Not Supported: ID Token previously issued by the Authorization Server being passed as a hint about
|
|
the End-User's current or past authenticated session with the Client. If the End-User identified by
|
|
the ID Token is logged in or is logged in by the request, then the Authorization Server returns a
|
|
positive response; otherwise, it SHOULD return an error, such as login_required. When possible, an
|
|
id_token_hint SHOULD be present when prompt=none is used and an invalid_request error MAY be
|
|
returned if it is not; however, the server SHOULD respond successfully when possible, even if it is
|
|
not present. The Authorization Server need not be listed as an audience of the ID Token when it is
|
|
used as an id_token_hint value. If the ID Token received by the RP from the OP is encrypted, to use
|
|
it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within the encrypted
|
|
ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key
|
|
that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the
|
|
id_token_hint value.
|
|
type: string
|
|
login_hint:
|
|
description: >
|
|
Not Supported: Hint to the Authorization Server about the login identifier the End-User might use to
|
|
log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail
|
|
address (or other identifier) and then wants to pass that value as a hint to the discovered
|
|
authorization service. It is RECOMMENDED that the hint value match the value used for discovery.
|
|
This value MAY also be a phone number in the format specified for the phone_number Claim. The use
|
|
of this parameter is left to the OP's discretion.
|
|
type: string
|
|
acr_values:
|
|
description: >
|
|
Not Supported: Requested Authentication Context Class Reference values. Space-separated string that
|
|
specifies the acr values that the Authorization Server is being requested to use for processing this
|
|
Authentication Request, with the values appearing in order of preference. The Authentication Context
|
|
Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in
|
|
Section 2. The acr Claim is requested as a Voluntary Claim by this parameter.
|
|
type: string
|
|
claims:
|
|
description: >
|
|
Not Supported: The claims parameter value, as specified in Section 5.5.
|
|
type: string
|
|
registration:
|
|
description: >
|
|
Not Supported: This parameter is used by the Client to provide information about itself to a
|
|
Self-Issued OP that would normally be provided to an OP during Dynamic Client Registration, as
|
|
specified in Section 7.2.1.
|
|
type: string
|
|
request:
|
|
description: >
|
|
Not Supported: Request Object value, as specified in Section 6.1. The Request Object MAY be
|
|
encrypted to the Self-Issued OP by the Client. In this case, the sub (subject) of a previously
|
|
issued ID Token for this Client MUST be sent as the kid (Key ID) of the JWE. Encrypting content to
|
|
Self-Issued OPs is currently only supported when the OP's JWK key type is RSA and the encryption
|
|
algorithm used is RSA1_5.
|
|
type: string
|
|
openid.spec.SubjectIdentifier:
|
|
description: >
|
|
A Subject Identifier is a locally unique and never reassigned identifier within the Issuer for the
|
|
End-User, which is intended to be consumed by the Client.
|
|
enum:
|
|
- "public"
|
|
- "pairwise"
|
|
type: string
|
|
openid.spec.ClientAuthMethod:
|
|
description: The OAuth 2.0 / OpenID Connect 1.0 Client Authentication Method.
|
|
enum:
|
|
- "client_secret_basic"
|
|
- "client_secret_post"
|
|
- "client_secret_jwt"
|
|
- "private_key_jwt"
|
|
- "none"
|
|
type: string
|
|
openid.spec.DisplayType:
|
|
description: >
|
|
ASCII string value that specifies how the Authorization Server displays the authentication and consent user
|
|
interface pages to the End-User.
|
|
enum:
|
|
- "page"
|
|
- "popup"
|
|
- "touch"
|
|
- "wap"
|
|
example: 'page'
|
|
type: string
|
|
openid.spec.ResponseType:
|
|
description: The OAuth 2.0 / OpenID Connect 1.0 Response Type.
|
|
enum:
|
|
- "code"
|
|
- "id_token"
|
|
- "token"
|
|
- "code token"
|
|
- "code id_token"
|
|
- "token id_token"
|
|
- "code id_token token"
|
|
- "none"
|
|
example: 'code'
|
|
type: string
|
|
openid.spec.ResponseMode:
|
|
description: >
|
|
Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization
|
|
Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is
|
|
the default mode specified for the Response Type.
|
|
enum:
|
|
- "query"
|
|
- "fragment"
|
|
- "form_post"
|
|
example: 'query'
|
|
type: string
|
|
openid.spec.GrantType:
|
|
description: The OAuth 2.0 / OpenID Connect 1.0 Grant Type.
|
|
enum:
|
|
- "authorization_code"
|
|
- "refresh_token"
|
|
- "implicit"
|
|
- "password"
|
|
- "client_credentials"
|
|
- "urn:ietf:params:oauth:grant-type:device_code"
|
|
example: 'authorization_code'
|
|
type: string
|
|
openid.spec.CodeChallengeMethod:
|
|
description: The RFC7636 Code Challenge Verifier Method.
|
|
enum:
|
|
- "plain"
|
|
- "S256"
|
|
example: 'S256'
|
|
type: string
|
|
openid.spec.ClaimType:
|
|
description: The representation of claims.
|
|
enum:
|
|
- "normal"
|
|
- "aggregated"
|
|
- "distributed"
|
|
example: 'normal'
|
|
type: string
|
|
jose.spec.None:
|
|
description: The JSON Web Signature Algorithm
|
|
type: string
|
|
enum:
|
|
- "none"
|
|
jose.spec.JWS.None:
|
|
description: The JSON Web Signature Algorithm
|
|
oneOf:
|
|
- $ref: '#/components/schemas/jose.spec.None'
|
|
- $ref: '#/components/schemas/jose.spec.jws'
|
|
type: string
|
|
jose.spec.jws:
|
|
description: The JSON Web Signature Algorithm
|
|
enum:
|
|
- "HS256"
|
|
- "HS384"
|
|
- "HS512"
|
|
- "RS256"
|
|
- "RS384"
|
|
- "RS512"
|
|
- "ES256"
|
|
- "ES384"
|
|
- "ES512"
|
|
- "PS256"
|
|
- "PS384"
|
|
- "PS512"
|
|
type: string
|
|
jose.spec.JWE.alg:
|
|
description: The JSON Web Encryption Algorithm (CEK)
|
|
enum:
|
|
- "RSA1_5"
|
|
- "RSA-OAEP"
|
|
- "RSA-OAEP-256"
|
|
- "A128KW"
|
|
- "A192KW"
|
|
- "A256KW"
|
|
- "dir"
|
|
- "ECDH-ES"
|
|
- "ECDH-ES+A128KW"
|
|
- "ECDH-ES+A192KW"
|
|
- "ECDH-ES+A256KW"
|
|
- "A128GCMKW"
|
|
- "A192GCMKW"
|
|
- "A256GCMKW"
|
|
- "PBES2-HS256+A128KW"
|
|
- "PBES2-HS384+A192KW"
|
|
- "PBES2-HS512+A256KW"
|
|
type: string
|
|
jose.spec.JWE.enc:
|
|
description: The JSON Web Encryption Algorithm (Claims)
|
|
enum:
|
|
- "A128CBC-HS256"
|
|
- "A192CBC-HS384"
|
|
- "A256CBC-HS512"
|
|
- "A128CBC"
|
|
- "A256CBC"
|
|
- "A128GCM"
|
|
- "A256GCM"
|
|
type: string
|
|
jose.spec.JWK.base:
|
|
type: object
|
|
properties:
|
|
use:
|
|
description: >
|
|
The "use" (public key use) parameter identifies the intended use of
|
|
the public key. The "use" parameter is employed to indicate whether
|
|
a public key is used for encrypting data or verifying the signature
|
|
on data.
|
|
enum:
|
|
- "sig"
|
|
- "enc"
|
|
example: 'sig'
|
|
type: string
|
|
key_ops:
|
|
description: >
|
|
The "key_ops" (key operations) parameter identifies the operation(s)
|
|
for which the key is intended to be used. The "key_ops" parameter is
|
|
intended for use cases in which public, private, or symmetric keys
|
|
may be present.
|
|
example: ["sign"]
|
|
type: array
|
|
items:
|
|
enum:
|
|
- "sign"
|
|
- "verify"
|
|
- "encrypt"
|
|
- "decrypt"
|
|
- "wrapKey"
|
|
- "unwrapKey"
|
|
- "deriveKey"
|
|
- "deriveBits"
|
|
type: string
|
|
kid:
|
|
description: >
|
|
The "kid" (key ID) parameter is used to match a specific key. This
|
|
is used, for instance, to choose among a set of keys within a JWK Set
|
|
during key rollover. The structure of the "kid" value is
|
|
unspecified. When "kid" values are used within a JWK Set, different
|
|
keys within the JWK Set SHOULD use distinct "kid" values. (One
|
|
example in which different keys might use the same "kid" value is if
|
|
they have different "kty" (key type) values but are considered to be
|
|
equivalent alternatives by the application using them.) The "kid"
|
|
value is a case-sensitive string. Use of this member is OPTIONAL.
|
|
When used with JWS or JWE, the "kid" value is used to match a JWS or
|
|
JWE "kid" Header Parameter value.
|
|
type: string
|
|
x5u:
|
|
description: >
|
|
The "x5u" (X.509 URL) parameter is a URI [RFC3986] that refers to a
|
|
resource for an X.509 public key certificate or certificate chain
|
|
[RFC5280]. The identified resource MUST provide a representation of
|
|
the certificate or certificate chain that conforms to RFC 5280
|
|
[RFC5280] in PEM-encoded form, with each certificate delimited as
|
|
specified in Section 6.1 of RFC 4945 [RFC4945]. The key in the first
|
|
certificate MUST match the public key represented by other members of
|
|
the JWK. The protocol used to acquire the resource MUST provide
|
|
integrity protection; an HTTP GET request to retrieve the certificate
|
|
MUST use TLS [RFC2818] [RFC5246]; the identity of the server MUST be
|
|
validated, as per Section 6 of RFC 6125 [RFC6125]. Use of this
|
|
member is OPTIONAL.
|
|
type: string
|
|
x5c:
|
|
description: >
|
|
The "x5c" (X.509 certificate chain) parameter contains a chain of one
|
|
or more PKIX certificates [RFC5280]. The certificate chain is
|
|
represented as a JSON array of certificate value strings. Each
|
|
string in the array is a base64-encoded (Section 4 of [RFC4648] --
|
|
not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value.
|
|
The PKIX certificate containing the key value MUST be the first
|
|
certificate. This MAY be followed by additional certificates, with
|
|
each subsequent certificate being the one used to certify the
|
|
previous one. The key in the first certificate MUST match the public
|
|
key represented by other members of the JWK. Use of this member is
|
|
OPTIONAL.
|
|
type: array
|
|
items:
|
|
format: byte
|
|
type: string
|
|
x5t:
|
|
description: >
|
|
The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a
|
|
base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER
|
|
encoding of an X.509 certificate [RFC5280]. Note that certificate
|
|
thumbprints are also sometimes known as certificate fingerprints.
|
|
The key in the certificate MUST match the public key represented by
|
|
other members of the JWK. Use of this member is OPTIONAL.
|
|
format: byte
|
|
type: string
|
|
x5t#S256:
|
|
description: >
|
|
The "x5t#S256" (X.509 certificate SHA-256 thumbprint) parameter is a
|
|
base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER
|
|
encoding of an X.509 certificate [RFC5280]. Note that certificate
|
|
thumbprints are also sometimes known as certificate fingerprints.
|
|
The key in the certificate MUST match the public key represented by
|
|
other members of the JWK. Use of this member is OPTIONAL.
|
|
format: byte
|
|
type: string
|
|
jose.spec.JWK.RSA:
|
|
description: RSA Public Key in JSON Web Key format as defined by RFC7517 and RFC7518.
|
|
allOf:
|
|
- $ref: '#/components/schemas/jose.spec.JWK.base'
|
|
- required:
|
|
- "kty"
|
|
- "n"
|
|
- "e"
|
|
type: object
|
|
properties:
|
|
kty:
|
|
description: >
|
|
The "kty" (key type) parameter identifies the cryptographic algorithm
|
|
family used with the key.
|
|
type: string
|
|
example: 'RSA'
|
|
enum:
|
|
- "RSA"
|
|
alg:
|
|
description: The JSON Web Signature Algorithm
|
|
type: string
|
|
example: 'RS256'
|
|
enum:
|
|
- "RS256"
|
|
- "RS384"
|
|
- "RS512"
|
|
- "PS256"
|
|
- "PS384"
|
|
- "PS512"
|
|
n:
|
|
description: >
|
|
RSA Public Key: The "n" (modulus) parameter contains the modulus value for the RSA public key. It is
|
|
represented as a Base64urlUInt-encoded value.
|
|
type: string
|
|
format: byte
|
|
e:
|
|
description: >
|
|
RSA Public Key: The "e" (exponent) parameter contains the exponent value for the RSA public key.
|
|
It is represented as a Base64urlUInt-encoded value.
|
|
type: string
|
|
format: byte
|
|
jose.spec.JWK.RSA.Private:
|
|
description: RSA Private Key in JSON Web Key format as defined by RFC7517 and RFC7518.
|
|
allOf:
|
|
- $ref: '#/components/schemas/jose.spec.JWK.base'
|
|
- $ref: '#/components/schemas/jose.spec.JWK.RSA'
|
|
- type: object
|
|
required:
|
|
- "d"
|
|
properties:
|
|
d:
|
|
description: >
|
|
RSA Private Key: The "d" (private exponent) parameter contains the private exponent value for the RSA
|
|
private key. It is represented as a Base64urlUInt-encoded value.
|
|
type: string
|
|
format: byte
|
|
p:
|
|
description: >
|
|
RSA Private Key: The "p" (first prime factor) parameter contains the first prime factor.
|
|
It is represented as a Base64urlUInt-encoded value.
|
|
type: string
|
|
format: byte
|
|
q:
|
|
description: >
|
|
RSA Private Key: The "q" (second prime factor) parameter contains the second prime factor. It is
|
|
represented as a Base64urlUInt-encoded value.
|
|
type: string
|
|
format: byte
|
|
dp:
|
|
description: >
|
|
RSA Private Key: The "dp" (first factor CRT exponent) parameter contains the Chinese Remainder Theorem
|
|
(CRT) exponent of the first factor. It is represented as a Base64urlUInt-encoded value.
|
|
type: string
|
|
dq:
|
|
description: >
|
|
RSA Private Key: The "dq" (second factor CRT exponent) parameter contains the CRT exponent of the
|
|
second factor. It is represented as a Base64urlUInt-encoded value.
|
|
type: string
|
|
qi:
|
|
description: >
|
|
RSA Private Key: The "qi" (first CRT coefficient) parameter contains the CRT coefficient of the second
|
|
factor. It is represented as a Base64urlUInt-encoded value.
|
|
type: string
|
|
format: byte
|
|
oth:
|
|
description: >
|
|
The "oth" (other primes info) parameter contains an array of
|
|
information about any third and subsequent primes, should they exist.
|
|
type: array
|
|
items:
|
|
type: object
|
|
required:
|
|
- "r"
|
|
- "d"
|
|
- "t"
|
|
properties:
|
|
r:
|
|
description: >
|
|
The "r" (prime factor) parameter within an "oth" array member
|
|
represents the value of a subsequent prime factor. It is represented
|
|
as a Base64urlUInt-encoded value.
|
|
type: string
|
|
format: byte
|
|
d:
|
|
description: >
|
|
The "d" (factor CRT exponent) parameter within an "oth" array member
|
|
represents the CRT exponent of the corresponding prime factor. It is
|
|
represented as a Base64urlUInt-encoded value.
|
|
type: string
|
|
format: byte
|
|
t:
|
|
description: >
|
|
The "t" (factor CRT coefficient) parameter within an "oth" array
|
|
member represents the CRT coefficient of the corresponding prime
|
|
factor. It is represented as a Base64urlUInt-encoded value.
|
|
type: string
|
|
format: byte
|
|
jose.spec.JWK.EC:
|
|
description: Elliptic Curve Public Key in JSON Web Key format as defined by RFC7517 and RFC7518.
|
|
allOf:
|
|
- $ref: '#/components/schemas/jose.spec.JWK.base'
|
|
- type: object
|
|
required:
|
|
- "kty"
|
|
- "crv"
|
|
- "x"
|
|
properties:
|
|
kty:
|
|
description: >
|
|
The "kty" (key type) parameter identifies the cryptographic algorithm
|
|
family used with the key.
|
|
type: string
|
|
example: 'EC'
|
|
enum:
|
|
- "EC"
|
|
alg:
|
|
description: The JSON Web Signature Algorithm
|
|
type: string
|
|
example: 'ES256'
|
|
enum:
|
|
- "ES256"
|
|
- "ES384"
|
|
- "ES512"
|
|
x:
|
|
description: >
|
|
EC Public Key: The x coordinate parameter contains the x coordinate for the Elliptic Curve point.
|
|
It is represented as the base64url encoding of the octet string representation of the coordinate, as
|
|
defined in Section 2.3.5 of SEC1 [SEC1].
|
|
type: string
|
|
format: byte
|
|
y:
|
|
description: >
|
|
EC Public Key: The y coordinate parameter contains the y coordinate for the Elliptic Curve point.
|
|
It is represented as the base64url encoding of the octet string representation of the coordinate, as
|
|
defined in Section 2.3.5 of SEC1 [SEC1].
|
|
type: string
|
|
format: byte
|
|
crv:
|
|
description: >
|
|
The curve parameter identifies the cryptographic curve used with the key. Curve
|
|
values from [DSS] used by this specification.
|
|
type: string
|
|
example: 'P-521'
|
|
enum:
|
|
- "P-256"
|
|
- "P-384"
|
|
- "P-521"
|
|
- "Ed25519"
|
|
- "Ed448"
|
|
- "X25519"
|
|
- "X448"
|
|
- "secp256k1"
|
|
jose.spec.JWK.EC.Private:
|
|
description: Elliptic Curve Private Key in JSON Web Key format as defined by RFC7517 and RFC7518.
|
|
allOf:
|
|
- $ref: '#/components/schemas/jose.spec.JWK.base'
|
|
- $ref: '#/components/schemas/jose.spec.JWK.EC'
|
|
- type: object
|
|
required:
|
|
- "d"
|
|
properties:
|
|
d:
|
|
description: >
|
|
ECC Private Key: The "d" (ECC private key) parameter contains the Elliptic Curve private key value. It
|
|
is represented as the base64url encoding of the octet string representation of the private key value,
|
|
as defined in Section 2.3.7 of SEC1 [SEC1]. The length of this octet string MUST be
|
|
ceiling(log-base-2(n)/8) octets (where n is the order of the curve).
|
|
type: string
|
|
format: byte
|
|
jose.spec.JWK.Symmetric:
|
|
description: Symmetric Key in JSON Web Key format as defined by RFC7517 and RFC7518.
|
|
allOf:
|
|
- $ref: '#/components/schemas/jose.spec.JWK.base'
|
|
- type: object
|
|
required:
|
|
- "k"
|
|
properties:
|
|
kty:
|
|
description: >
|
|
The "kty" (key type) parameter identifies the cryptographic algorithm
|
|
family used with the key.
|
|
type: string
|
|
example: 'oct'
|
|
enum:
|
|
- "oct"
|
|
k:
|
|
description: >
|
|
The "k" (key value) parameter contains the value of the symmetric (or
|
|
other single-valued) key. It is represented as the base64url
|
|
encoding of the octet sequence containing the key value.
|
|
type: string
|
|
format: byte
|
|
jose.spec.JWK:
|
|
type: string
|
|
anyOf:
|
|
- $ref: '#/components/schemas/jose.spec.JWK.RSA'
|
|
- $ref: '#/components/schemas/jose.spec.JWK.RSA.Private'
|
|
- $ref: '#/components/schemas/jose.spec.JWK.EC'
|
|
- $ref: '#/components/schemas/jose.spec.JWK.EC.Private'
|
|
- $ref: '#/components/schemas/jose.spec.JWK.Symmetric'
|
|
jose.spec.JWKs:
|
|
type: object
|
|
description: The JSON Web Key Sets Document as defined by RFC7517.
|
|
properties:
|
|
keys:
|
|
description: List of JSON Wek Key's in the JSON Web Key format as defined by RFC7517.
|
|
type: array
|
|
items:
|
|
$ref: '#/components/schemas/jose.spec.JWK'
|
|
{{- end }}
|
|
securitySchemes:
|
|
authelia_auth:
|
|
type: apiKey
|
|
name: "{{ .Session }}"
|
|
in: cookie
|
|
{{- if .OpenIDConnect }}
|
|
openid:
|
|
type: openIdConnect
|
|
openIdConnectUrl: "{{ .BaseURL }}.well-known/openid-configuration"
|
|
{{- end }}
|
|
...
|